SEPTEMBER 2016 VOL. 18 | NO. 8 SECURITY RATINGS: WHO IS MAKING THE GRADE ARE SECURITY PEOPLE BORN WITH UNIQUE TALENTS? WE ASK KEVIN JOHNSON PAUL VIXIE ENTERS A NEW DOMAIN KEEPING SCORE WITH CYBER-RISK PROFILES GLOBAL REPORT: SKILLS SHORTAGE THREATENS SECURITY INFORMATION S ECURITY SERVICES TAKE OFF, GRC DOESN’T Governance, risk management and compliance goals are tested by the proliferating use of cloud services— and it’s worse than IT thinks.
Transcript
SEPTEMBER 2016VOL. 18 | NO. 8
SECURITY RATINGS: WHO IS MAKING THE GRADE
ARE SECURITY PEOPLE BORN WITH UNIQUE TALENTS? WE ASK KEVIN JOHNSON
PAUL VIXIE ENTERS A NEW DOMAIN
KEEPING SCORE WITH CYBER-RISK PROFILES
GLOBAL REPORT: SKILLS SHORTAGE THREATENS SECURITY
I N F O R M A T I O N
SECURITY
SERVICES TAKE OFF, GRC DOESN’T
Governance, risk management and compliance goals are tested by the
proliferating use of cloud services— and it’s worse than IT thinks.
2 INFORMATION SECURITY n SEPTEMBER 2016
HOME
EDITOR’S DESK
GOVERNANCE IN THE CLOUD
PAUL VIXIE ON DNS
CYBERSECURITY SKILLS SHORTAGE
MAKING THE GRADE
RANUM Q&A: KEVIN JOHNSON security ratings platform.
Are these metrics likely to catch on and improve deci-sion making when it comes to selecting vendors and busi-ness partners? Technology journalist Steve Zurier looks at new approaches to management and quantification of se-curity risk that rely on cybersecurity risk profiles for mea-surable security outcomes.
“I get weekly emails on the scores that drop off by 10% or more, and I get notified why that happened,” Chris Porter, CISO at Fannie Mae, told Zurier. Porter says he then works with the profiled company to help it get a higher security rating.
While security ratings services may provide another tool in the arsenal as a way to continuously monitor the security postures of third-party vendors, enterprises con-tinue to struggle with governance and risk management
Keeping Score With Cyber-Risk ProfilesMetrics are the CISO’s reporting mechanism. Security ratings services may add another way to continuously monitor changes in vendors’ and business partners’ security postures. BY KATHLEEN RICHARDS
EDITOR’S DESK
CISOs INCREASINGLY NEED to adapt secu-rity metrics to new business initiatives and technology, from cloud to DevOps to the internet of things. They’re also responsible for monitoring the cyber-
security risk profiles of third-party vendors and service providers. Tools are emerging to help with some of these tasks.
FICO acquired QuadMetrics in June and aims to fur-ther develop an Enterprise Security Score to help orga-nizations with board-level risk assessments, third-party vendor management and cyberinsurance underwriting. Startup SecurityScorecard offers security ratings on third-party vendors and enables companies to follow changes in cybersecurity risk profiles. BitSight Technologies is the traditional player in the category with a widely used
3 INFORMATION SECURITY n SEPTEMBER 2016
HOME
EDITOR’S DESK
GOVERNANCE IN THE CLOUD
PAUL VIXIE ON DNS
CYBERSECURITY SKILLS SHORTAGE
MAKING THE GRADE
RANUM Q&A: KEVIN JOHNSON
Security’s May 2016 report “Hacking the Skills Shortage.”“Now, when an attack occurs, the people who
understand the attack have to be able to communicate,” Candace Worley, Intel Security senior vice president and general manager, told the audience at the Center for Stra-tegic and International Studies when the report was pre-sented earlier this year. “Building that communication skill set is more important today than it was in the early 2000’s because those highly technical individuals have to go in front of the board given the high-profile nature of the attacks.” n
KATHLEEN RICHARDS is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.
EDITOR’S DESK
in hybrid cloud environments and with recruiting staff with cybersecurity skills. We look at both issues this month. Jaikumar Vijayan reports on cloud GRC (gover-nance, risk management and compliance) as business units and workgroups continue to flock to services.
As the talk of automation of outsourced functions continues, security professionals in the public and private sectors are trying to come up with ways to address the cybersecurity skills shortage. If geeks are now cool—go, Pokéman Go!—why can’t companies find enough people with cybersecurity skills? Developing this talent may in-volve some combination of “born this way”—see Marcus Ranum’s interview with ethical hacker Kevin Johnson—education and even gaming and hacking contests. We look at the numbers on hard and soft skills from Intel
GROWTH IN CLOUD USE RAISING NEW GRC CHALLENGES Governance, risk management and compliance goals are tested by the proliferating use of cloud services—and it’s worse than IT thinks.
LIKE MANY ORGANIZATIONS, Sabre Corp. has seen expanding internal use of cloud services. Starting with its SAP-based employee system a few years ago, Sabre, which provides technology services to the travel industry, has gradually migrated key applications to the cloud, including project management and enterprise software.
The biggest challenges CISOs face in these envi-ronments have to do with a loss of visibility, a lack of standards for evaluating cloud GRC (governance, risk management and compliance) and a failure by employees to perform due diligence when migrating critical enter-prise applications and data to the cloud.
Sabre’s philosophy through the transition has been to allow the departments that need cloud functionality to make their own choices, according to Bob Prevenslik, di-rector of software development for the company’s secu-rity systems. All departments signing up for cloud services still have to use Sabre’s centralized employee ID manage-ment system for provisioning, however, thereby ensuring strong authentication and access control.
“When we started going to the cloud primarily, in By Jaikumar Vijayan
Alliance. As a result, many orga-nizations are struggling to gain an understanding of the extent of cloud services in their environ-ments and the cloud data gov-ernance structure to implement around that use. With little in the way of enterprise frameworks for integrating cloud assets, the
CSA provides a suite of free resources—including a Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire—in its cloud GRC Stack, which can help enterprises navigate controls and regulations.
“The IT function within these organizations, whether they want to or not, is being pushed to accelerate cloud adoption,” Reavis says. “You have to go cloud first and rule out whether cloud is suitable before you can go further.”
Ensuring that cloud GRC goals are met in such an en-vironment “is sort of like building the runway while the plane is taking off,” he says.
TREAD LIGHTLYA lot of the cloud adoption in organizations has happened in an organic fashion with little to no IT involvement and even less policy oversight. So in many cases, the security, policy and governance measures you implement will be somewhat retroactive in nature, notes Chris Pogue, CISO at Nuix, a company that develops software for extracting
the first iteration you had to be on network to go to [ser-vices],” Prevenslik says. Over the years, the company has added VPN access and, more recently, token-based mul-tifactor authentication to ensure proper authentication to cloud assets for travelling and remote workers. “All our
employee identity stores are centralized in one point. So even if a department were to select a cloud provider on its own, to use the service they are required to use the mas-ter employee identity store,” he adds.
This kind of a centralized approach has helped Sabre mitigate a lot of the risk associated with the growth of un-sanctioned cloud use in the enterprise. But Sabre is the exception.
Most cloud procurement that has taken place over the past few years has been highly decentralized in nature and involved little to no IT or policy oversight, maintains Jim Reavis, co-founder and CEO of the Cloud Security
Ensuring that cloud GRC goals are met in today’s environments “is sort of like building the runway while the plane is taking off.”
— Jim Reavis, co-founder and CEO, Cloud Security Alliance
down with a hammer on day one because that doesn’t give you an escalation,” Jones says.
ENABLE MORE VISIBILITYOne of the first steps that organizations can take to-ward achieving cloud GRC goals is getting a handle on the scope and the nature of services that are being used across their environments. Enterprises on average use 841 cloud applications, about 20 times more services than es-timated by the average IT organization, according to the “First Half 2016 Shadow Data Threat Report,” research Blue Coat Elastica Cloud Threat Labs published in July.
“Closing the gap between perception and reality is re-ally important,” Reavis says. It is simply not possible to perform due diligence or to prioritize cloud data gover-nance activity without first discovering all of the sanc-tioned and unsanctioned cloud applications and services running in your environment, he adds.
Numerous tools are available to do this sort of discov-ery, including egress-filtering technology, secure web gate-ways and cloud access security brokers. Vendors offering tools include Bitglass, Blue Coat Systems, CipherCloud, Imperva Skyfence and Microsoft Cloud App Discovery.
It isn’t enough to merely discover all the cloud appli- cations and services that are used across your organiza-tion. It’s equally important to sift through the portfolio and identify the services security needs to care about the most.
business value from unstructured data.
The key is to tread lightly. “You just have to show people that you honor the past,” main-tains Pogue. “Say that you under-stand how the organization got here organically and tell them, ‘Here’s how you can start to move
to a place where we can enable you to do your job better and offer you the best protection.’”
This is a situation where the ability to quantify risk can be a huge help in getting decision makers to adopt needed controls. “If the value liability analysis shows [a cloud vendor] really matters to the business but the con-trol assessment shows there isn’t enough due diligence, being able to quantify that exposure in dollars and cents can be very effective,” says Jack Jones, founder and chair-man of the FAIR Institute. The non-profit organization is focused on helping enterprises measure and manage in-formation risk using the Factor Analysis Information Risk framework, which Jones—the executive vice president of research and development at cyber risk management soft-ware company RiskLens—created.
Generally, most people are amicable when it comes to security, privacy and compliance obligations and are willing to implement change if they can continue using something they really require. “You don’t want to come
are putting in the cloud—sensitive information, which requires greater protection, or critical assets, which necessitate availability.
“Different parts of the business will have different opinions on what is business-critical data,” Pindar says. For instance, to a sales organization, customer data is of critical importance; for the accounting department, it is the financial data. For an HR department, though, it could be employee information. “Someone from IT can’t make that decision for the business,” he adds.
Once senior management and line of business man-agers reach those data classification decisions, the CISO, in conjunction with the IT organization, needs to under-stand the data that is required for different business functions. Then they implement the appropriate data protection and access controls.
ASSESS YOUR CLOUD VENDOR’S RISK MANAGEMENTInformation asymmetry is another issue when dealing with cloud vendors, according to the FAIR Institute’s Jones. Despite your best vetting efforts, there always will be a certain degree of uncertainty associated with a cloud provider’s actual security controls and their abil-ity to detect, respond to, manage and mitigate security incidents.
It’s essential to know the right questions to ask. In-stead of inundating the cloud vendor with hundreds of
One approach is to evaluate the value and potential liabilities of the cloud service provider to your organiza-tion. How reliant is the enterprise on that one vendor? “If the provider goes down, is that a doomsday scenario or just mildly painful?” Jones asks.
What kind of access does the third party have to your networks? “Maybe they are a vertical provider and maybe they are holding a bunch of sensitive information, but are they directly connected to your core?” asks Jones, who spent 10 years in the trenches as CISO at Hunting-ton Bank, CBC Companies and Nationwide Insurance. It’s only by doing this sort of value and risk analysis, he adds, that an organization can begin to prioritize its cloud GRC objectives.
EVALUATE THE DATA RISKSUnderstand the risks to your business from all the data that is being stored, accessed and shared in the cloud, stresses Joe Pindar, director of product strategy and chief technology officer of data protection at security vendor Gemalto. In July, the Ponemon Institute published The 2016 Global Cloud Data Security Study, an independent survey—commissioned by Gemalto—of 3,400 technology and security professionals. More than half of the respon-dents did not have measures for complying with privacy and security requirements in the cloud.
To figure out what security controls to implement, CISOs first need to know what types of data employees
“What is a security incident in their mind? How are they addressing data breaches and disclosure of breaches?”
Organizations need to get this information upfront—and in writing—to avoid gray areas. “Are they saying if something happens, they will tell you right away?” says Pogue. “What is their tipping point? Do they have appro-priate control mechanisms to defend, detect, respond and recover?” Make sure that the vendor’s risk management
yes-or-no questions like many organizations do, it is far better to focus on inquiries that can give you a thorough understanding of how a cloud provider is positioned from a risk-management perspective.
For instance, how much risk is a vendor willing to legally accept? “You really have to understand what your cloud vendor’s commitment to risk management is and how that is articulated in their contract,” says Pogue.
Be Realistic About What You Can NegotiateTHE CONTRACTS YOU negotiate with your vendor can be a useful vehicle for ensuring compliance with your cloud GRC (governance, risk management and compliance) goals. But be realistic about just how much customiza-tion you can get in your service-level agreements.
When he was the CISO of one services organization, FAIR Institute chairman Jack Jones negotiated a deal under which the institution had an individual placed at the cloud vendor’s location to ensure the vendor was following proper security processes. “That was an ex-ceptional case and a dream,” he recalls. But there are many other reasonable steps you can take to ensure proper cloud data governance.
If you can’t get the service availability and redun-
dancy assurances that you require from one cloud service provider, consider switching or using multiple vendors, says Jim Reavis, co-founder and CEO of the Cloud Security Alliance. “We find that a lot of custom-
ization in contracts either ends up be-ing really expensive or the cloud cannot provide it.”
IT organizations must shed rigid, ap-pliance-oriented architectural concepts
when it comes to dealing with cloud vendors, maintains Reavis. “They need to start thinking about the world in a more virtual sense—and think about supporting a more flexible governance model—and about cloud pro-viders being interchangeable.” —J.V.
9 INFORMATION SECURITY n SEPTEMBER 2016
HOME
EDITOR’S DESK
GOVERNANCE IN THE CLOUD
PAUL VIXIE ON DNS
CYBERSECURITY SKILLS SHORTAGE
MAKING THE GRADE
RANUM Q&A: KEVIN JOHNSON
COVER STORY: DATA GOVERNANCE
From a strategic perspective, the issue boils down to who can access your data, how you control that ac-cess and how you protect that data while it is being used, stored, transmitted and shared.
“It is important that the cloud provider shows they have an adequate governance program themselves and they have been through recognizable standards like PCI and ISO,” Reavis says. Audits may be necessary in the case of smaller providers that may not have such certifications.
While the cloud GRC obligations for enterprises that must comply with Payment Card Industry rules are likely different from cloud data governance structures associ-ated with the Health Insurance Portability and Account-ability Act, the Federal Information Security Management Act or the Financial Industry Regulatory Authority, ac-cording to Pogue: “At the end of the day, the cloud just means you are using someone else’s infrastructure.”
The key thing to remember is that, when something bad is happening, you should not be left asking questions of your cloud vendor. You should be getting answers from them. n
JAIKUMAR VIJAYAN is a freelance writer with over 20 years of experience covering the information technology industry. He is a frequent contributor to Christian Science Monitor Passcode, eWEEK, Dark Reading and several other publications.
and how that is articulated in the contract doesn’t negate compliance or other agreements.
CHOOSE THE RIGHT TECHNOLOGY CONTROLSCloud computing is a new way of buying IT infra- structure. In most cases, the computers running your applications and data are not your own. Traditional perimeter-focused enterprise security models just don’t work in these environments. The focus therefore has to be on data-level protections.
At a technology level, that means ensuring that your essential business data in the cloud is encrypted at all times regardless of whether it is at rest, in use or in tran-sit, according to CSA’s Reavis. It’s important to verify what level of encryption the cloud service provider sup-ports and the processes they have for managing your data through its lifecycle, from creation to deletion and de-struction of the data. That includes ensuring proper data segregation in the cloud, restricting access to the data based on role, and tracking and monitoring all access.
Mature identity management and user authentication capabilities are critical to ensuring that only authorized people have access to business data in the cloud. “Some-times the cloud is too easily implemented, so you need to make sure not to drop the ball,” says Sabre’s Prevenslik. “That is why we keep our centralized identity management.”
PAUL VIXIE ENTERS A NEW DOMAINWith targeted attacks and ransomware on the rise, should DNS analysis become part of your defense strategy?
By Kathleen Richards
DNS WATCH
IN A PRESENTATION at DEF CON 24, Paul Vixie, one of the founders of the Internet Software Consortium, talked about the ways in which domain names are being abused and the data science of looking for patterns. When we met up with him in July, just before the hacking event, he told us about some of his ongoing domain name system (DNS) research.
“First, the domain name was sort of sampled. There were queries to see if it existed, and we see these queries because they are all over the network; and some period of time later, some of those domain names get registered,” he explained.
This may be just “domainers”—advertisers who, be-cause the names are next to others, are trying to grab typo errors and go “halves,” noted Vixie. It sometimes leads to spam or is irritating, but it is usually not malicious enough for companies to pay to avoid it.
But to the extent that these patterns are malicious, company names can be predicted, he says. “You can pre-dict the creation of a negative name by only looking at the negative results, and this tells you what [would happen] if
it didn’t exist, so this is doing science using our data as a primary source.”
After an early stint at Digital Equipment Corp., Vixie primarily focused on the dynamics of the inter-net through his work at several companies, nonprofits and groundbreaking projects, such as the widely used Berkeley Internet Name Domain (BIND). Currently the founder and CEO of Farsight Security, his team is devel-oping reputation-focused DNS services using data wa-terfall techniques. We asked Vixie about the technology behind the DNS services and his take on internet chal-lenges that enterprises face as top executives home in on digital transformations and security.
KATHLEEN RICHARDS: Can you provide a little background on the company and why it is developing these DNS services now?PAUL VIXIE: Farsight has been independent of its corpo-rate origin for three years now. And in that time, we have continued to develop the technology that we started with before the management buyout, and the flagship of that has always been a database which is called DNSDB. And while that has a lot of acceptance in the market—we even have some competitors now—the foundation has always been the real-time framework that underlies the database. So we have continued to enhance the real-time aspect—the various feeds and filtering and the real-time event grabbing that we can do that is all happening through the
substrate of the company’s exchange that makes the database possible and makes various real-time feeds possible. So, in one way, we are moving from primarily a data-at-rest portfolio to a combined data-at-rest and data-in-motion portfolio.
Technically, how are you accomplishing that?The real-time substrate that I spoke of is called the Secu-rity Information Exchange, and it was originally built to be a real-time multichannel fabric for sharing either one-to-many or many-to-many events. We are not file based and not database based, and we have no data legs in that sense. What we have is a data waterfall. When we wish to add a new type of feed, then it is a matter of figuring out what we are already doing and where we can most advan-tageously tap into the real-time data as it streams through our infrastructure, and then [we] simply divert it and add a couple of more waterfall stages in order to create what-ever new product it is that we are shooting for.
So far, we’ve proven this to work with the newly ob-served domain feed that we launched a couple of years ago, and now we are adding new ways to take advantage of our global filter without necessarily having to connect directly to our network and, essentially, drink from the fire hose.
When you look at enterprises today, what are some of the attack trends and DNS issues that CISOs and senior
risk posture is going to be. I have always assumed that
the domain was the final frontier. Companies had security postures that involved either outsourcing or data lakes—and the idea with data lakes was to wait until the stored information shows a pat-tern that you can do something
about; then you learn rapid turnaround and take down bad guys’ assets, for example, in 10 minutes. Bad guys are going to figure out how to get their whole job done in five minutes, so we are going to have a race to the bottom in terms of [a] time window—between when the attack is constructed and executed and when you have to have de-fended against it—or else your defense will have no oper-able impact on your outcome. So we live in the here; we live in the now. Our technology is designed to let some-body operate in the sub-minute time frame once they are ready to make the investment in data waterfalls instead of data lakes.
When you say you’re able to see illicit use of brand names and DNS assets in real time, how quickly are you passing that information along to an enterprise?Well, at the moment, our alerts could be delayed by al-most 30 seconds in some cases. We have a team working on pulling that delay out because I think 30 seconds is an
security management should be aware of?Attacks against the enterprise are getting more targeted. We are not just seeing the low-hanging events, like do-ing a simple port scan and attacking whatever they can break into. That is still happening, but that is not 100% of the attack flow. There is a certain amount of surveillance; if they were burglars, we would say they were casing the joint before they try and break in.
So that has led to a lot of very specific attacks involv-ing some enterprises’ staff or relationships among the staff or enterprise resources such as their domain names, their IP address blocks. That change is leading to a de-fense where companies are no longer feeling that they are able to outsource their own defense, pay some services company to come in and install a bunch of firewalls and monitor them for us, please. That is still happening, but that is not the growth trend.
The trend now is that these companies are building their own security operations center, [regardless of their size]. They are buying not just holes but also shovels. In other words, they are doing in-house integration. They are even commissioning custom tools; sometimes, they are hiring toolmakers rather than security operators.
And this all flows from the fact that the attacks are no longer a general condition; they are specific against that enterprise. And risk management, when you are targeted, requires a lot more thought at the executive-team level. Management has to get into deciding what the company’s
One of things that we often hear about SIEM and some other complex installations is that people are not using that technology to the fullest, and one of the issues is lack of tuning and resources to run these systems. Is that something that you have come across?It is not just SIEMs. I think a lot of companies that are worried about risk management in the internet field are making investments where they don’t necessarily under-stand that a capital investment has got to be backed up by some staff or some management from the exec team. So we do see some orphaned security operations centers that have been well-equipped with modern tools but are then without the necessary training or staffing to actually tune things and make that investment attractive. That is not what we usually see, but we see it often enough to be worried about it.
Do you attribute some of that to boards becoming aware of information security and requiring more justification in terms of the funding? They want to see results quickly, and if they don’t, there are some resource issues related to that.Boards are primarily fiduciary in nature, and [I think] that they are by and large going to worry about whatever the industry segment worries about.I It is very difficult to be an independent board member coming in and saying, ‘Hey, there is this whole other thing that is happening out
ocean of time from the bad guys’ point of view. But that is just an artifact of some of the choices that we made early on with the company. We are working on that.
Is the primary role to alert the companies to the anomalies, or do you offer any type of incident response or advisory services based on what you are seeing?We are currently not in the incident response or take-down segments. We certainly do offer advice, but that would more often come in the form of training than it would in incident response.
For these types of DNS services, what are the resources that are required in terms of staff and technology?Well, that is very flexible. Someone will get maximum value from these new DNS services if they have already invested in some SIEM [security information and event management] or some kind of orchestration product. So if they have Splunk or they have ArcSight or they have something that has a plug-in interface that we can talk to, then they will already have the framework that they need to say ‘Oh, it’s another data source, and this is how we de-termine availability, and this is what we do when we get an alert from that service.’ If you don’t have that workflow and you have not made an investment, then we will still have a way to deliver alerts to you using what I would call lower-echelon methods, like email, sys log or something like that.
IT function that helps us do our money-based job for our customers.’ And that’s changing: These companies are be-ginning to see themselves as IT companies who happen to have some vaults, and they are beginning to make sure the c-level team—not just the CTO or the CIO, but the whole c-level team—has a certain level of IT background so that they can swim in the new waters. n
KATHLEEN RICHARDS is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
there that you need to be focusing some resources on,’ even though no one else in this industry is doing so. That is just the limitation of the job because this is the struc-ture of the fiduciary body.
That having been said, the investment that you are describing is happening. For example: banks. I guess 20 or 30 years ago the culture of the banks was to say, ‘Hey we are a money company; we have a whole bunch of fi-nancial instruments and cash and all these vaults all over the place, and that is what we have to protect. But we are primarily a money company, and we happen to have an
Security Suffers as Companies Struggle With Talent Gap The global shortage in the cybersecurity skills pipeline is a high-stakes game, according to one report.
HELP WANTED
Security Workforce Shortage Relative to IT Shortage
SOURCE: “HACKING THE SKILLS SHORTAGE,” INTEL SECURITY, MAY 2016; BASED OFF RESPONSES FROM 775 IT PROFESSIONALS IN EIGHT COUNTRIES; SIGN ART: CREATARKA/ISTOCK
53%Somewhat
to far greater
29%The same as other
workforce skill shortages
17%Somewhat to far less
1%Don’t know
16 INFORMATION SECURITY n SEPTEMBER 2016
HELP WANTED
HOME
EDITOR’S DESK
GOVERNANCE IN THE CLOUD
PAUL VIXIE ON DNS
CYBERSECURITY SKILLS SHORTAGE
MAKING THE GRADE
RANUM Q&A: KEVIN JOHNSON
Scarcity of Security Skills by Country
U.S. MEXICO U.K. GERMANY FRANCE ISRAEL JAPAN AUSTRALIA
Correction of threats: Repair of compromised systems 40% 44% 23% 45% 39% 68% 57% 41%
SOURCE: “HACKING THE SKILLS SHORTAGE,” INTEL SECURITY, MAY 2016; BASED OFF RESPONSES FROM 775 IT PROFESSIONALS IN EIGHT COUNTRIES
17 INFORMATION SECURITY n SEPTEMBER 2016
HOME
EDITOR’S DESK
GOVERNANCE IN THE CLOUD
PAUL VIXIE ON DNS
CYBERSECURITY SKILLS SHORTAGE
MAKING THE GRADE
RANUM Q&A: KEVIN JOHNSON
HELP WANTED
Cybersecurity Skills Development in Universities and Vocational Programs
Gaming the Skills Gap: Role of National Hacking Competitions at Your Company
23%Fully preparing professionals
44%Mostly preparing
professionals
33% 25% 22% 17%
28%Somewhat preparing
professionals
5%Not preparing professionals
39% Yes, a small role
29% Yes, a big role
20% No, but they should play a role
6% No, and they should not play a role
6% Don’t know/no opinion
35%
We can’t maintain an adequate staff of cybersecurity professionals.
We are a target for hackers because
they know our cybersecurity is not
strong enough.
We’ve lost proprietary data
through cyberattacks.
We’ve suffered reputational
damage.
We have a reduced ability to create
new IP for products and services.
Negative Effects of Cybersecurity Skills Shortage in the Workplace
SOURCE: “HACKING THE SKILLS SHORTAGE,” INTEL SECURITY, MAY 2016; BASED OFF RESPONSES FROM 775 IT PROFESSIONALS IN EIGHT COUNTRIES; HACKERS: YURI_ARCURS/ISTOCK; STUDENT ICON: APPLEUZR/ISTOCK
18 INFORMATION SECURITY n SEPTEMBER 2016
HOME
EDITOR’S DESK
GOVERNANCE IN THE CLOUD
PAUL VIXIE ON DNS
CYBERSECURITY SKILLS SHORTAGE
MAKING THE GRADE
RANUM Q&A: KEVIN JOHNSON
CYBER-RISK SCORES
By Steve Zurier
THE RATINGS GAME Can security ratings services patterned on consumer credit scores offer insight into the security postures of third parties and other business partners?
WHEN CHRISTOPHER PORTER became Fannie Mae’s CISO ear-lier this year, the company started digging into third-party security. “Think of the scope of Fannie Mae,” Porter says. “We have tens of thousands of business partners that in-clude mortgages sellers and servicers, banks, investors and our vendors for software and other related business services.”
The mortgage financing company used to send out multi-page security questionnaires, but they were often subjective and not based on quantitative analysis. The other problem was that questionnaires mostly captured a moment in time. Fannie Mae now uses security ratings services to manage its third-party program. “The security ratings tools give us a consistent and independent way of measuring third parties,” Porter says.
THIRD-PARTY WAKE-UP CALLThe 2013 Target Corp. breach thrust the issue of third-party risk management into the open. It was after the executive resignations and colossal payouts that large en-terprises started to appreciate that, even though they may
19 INFORMATION SECURITY n SEPTEMBER 2016
HOME
EDITOR’S DESK
GOVERNANCE IN THE CLOUD
PAUL VIXIE ON DNS
CYBERSECURITY SKILLS SHORTAGE
MAKING THE GRADE
RANUM Q&A: KEVIN JOHNSON
have internal security controls in place, business partners and other third parties may not meet the same levels of security. After all, it was not Target’s systems that were out of compliance—it was the lack of proper security measures at an HVAC supplier.
Before the landmark retail breach, there really was no such thing as third-party risk management tools for IT security.
Now, companies such as BitSight Technologies, SecurityScorecard and QuadMetrics, which was acquired by FICO in June, offer continuous security ratings ser-vices. The ratings services gather data from a variety of public and private sources, including the public in-ternet, then analyze the data using proprietary analy-sis and rate companies using their own standard scoring methodologies.
“The system tracks if the company has been in the news, it tracks its SSL certificate practices as well as how they organize domain name servers,” Porter explains. “I get weekly emails on the scores that drop off by 10% or more, and I get notified why that happened. For exam-ple, it tells me if there was a malware outbreak or if they added new equipment that changed the company’s secu-rity posture.”
Porter says once he gets the report, he works with the company to help get them back to the higher security rating.
“I don’t think that tools like this are a silver bullet,” he
CYBER-RISK SCORES
Security Ratings ReportBitSight’s report shows A to F grades that
indicate how well a financial services organization is managing each risk vector.
“People ‘get’ what the security ratings services do, how they are patterned after the credit ratings agencies,” says BitSight’s CTO Stephen Boyer. “Companies also find that they can use the data to make decisions on mergers and acquisitions. They can find out if it makes sense to make an acquisition or what they’ll really have to pay to raise the security posture of a potential acquisition.”
Jason Brown, CISO at Merit Network, a non-profit organization in Michigan that provides internet services to universities, other non-profits, local and state govern-ment, libraries and hospitals, says he’s not sure organiza-tions will ultimately need three different security ratings services because it takes a lot of effort to just use one.
Merit Network has used QuadMetrics for a little under two years. Brown runs Signet Scope to prioritize inter-nal security projects and Signet Profile to evaluate which third parties his company wants to do business with.
says. “They are more like a Swiss Army knife for manag-ing third parties.” The security rating services—in this case, the BitSight Security Rating Platform—give Fannie Mae the ability to make better decisions on which compa-nies to add as business partners, plus it offers the continu-ous monitoring capability that had been missing.
DIGITAL FOOTPRINT, HIGHER RISK John Wheeler, a research director at Gartner who covers risk management, says the security ratings services are filling a void for under-the-gun security managers who need an easy-to-understand way of explaining the security postures of business partners to top managers.
“Security ratings services are highlighting the growing need for digital risk management as organizations’ digi-tal footprint includes a wider array of third-party tech-nology,” says Wheeler. “Fair Isaac’s recent acquisition of security ratings service provider QuadMetrics is a testa-ment to the demand for these FICO-like scores for digital risk.”
Are the enterprise security ratings services akin to what Equifax, Experian and TransUnion do in the finan-cial sector to provide credit ratings for individual consum-ers for credit cards and home loans? Although security ratings services are still very new, it’s possible that a simi-lar system may emerge in the years ahead, with compa-nies assessing multiple cyber-risk profiles to measure the security levels of third parties.
“Security ratings services are high- lighting the growing need for digital risk management as organizations’ digital footprint includes a wider array of third-party technology.”
botnet, for example—affects its security defenses. AXIS uses the BitSight platform to enhance its existing models by providing technical visibility into an organization’s risk profile without requiring direct outreach.
“Security ratings services afford carriers the ability to quickly and easily compare their portfolio performance
against various static benchmarks,” Hannes explains. “From there, the ability to drill down on specific granular details on the company’s security risk posture is quite ex-tensive. The security ratings service lets us compare and model remediation effectiveness against an organization’s peers within its own industry profile, providing another modeling perspective or evaluating relative risk.”
According to Hannes, BitSight lets AXIS remotely view how its clients are specifically affected by malware and ransomware, and the insurance provider can examine
CYBER-RISK SCORES
The non-profit organization also offers QuadMetrics to its member companies. For instance, all of the 12 uni-versities that have representatives on Merit’s board of di-rectors use QuadMetrics, according to Brown.
“People are starting to see the value, especially as it becomes clear that 70% of cyberattacks go undetected,” he says. “Companies will wake up and start looking for what is available.”
IMPACT ON INSURANCE RATINGS How accurate are these cyber-risk profiles? What re-course do you have if your company gets an unfair (high risk) security rating? That may become a growing con-cern as insurance companies begin to adopt these tools.
“Ideally, we will now have information that can be made available to third-party insurance providers based on ongoing risk monitoring,” says Doug Clare, the vice president who heads up the FICO Analytic Cloud Initia-tive. “Today, the insurance industry lacks common met-rics or risk tools.”
Meghan Hannes, product manager at global insurer AXIS Capital, says insurance companies used to develop risk profiles by directly communicating with individual organizations and the brokerage community.
Today, the security ratings services offer automated in-sight into an organization’s risk profile, which lets AXIS research and identify how a specific threat vector—a
“The ability to quickly and easily view an organization’s grade provides better risk visibility from a peer comparison perspective, and it enhances our ability to quickly model the performance of our portfolio...”
tion’s grade provides better risk visibility from a peer comparison perspective, and it enhances our ability to quickly model the performance of our existing portfolio more efficiently on a broader scale,” says Hannes. “Simply put, it improves the speed at which we are able to exam-ine risk.”
individual infections and vulnerabilities. The platform compares an organization’s security performance through company-specific diligence vectors such as configura-tions, open ports and patching cadence against its peers using an A through F grading scale.
“The ability to quickly and easily view an organiza-
Financial Industry Security Performance Compared to All Industries
*2016 FINANCIAL INDUSTRY CYBERSECURITY REPORT,” SECURITYSCORECARD, AUGUST 2016; BASED ON ANALYSIS OF 7,111 FINANCIAL INSTITUTIONS
BELOW AVERAGE: 95% out of the top 20 U.S. commercial banks (by revenue) have a Network Security grade of C or below.
93.16 94.24 93.11 96.20 99.8590.43
77.80
99.78
84.12
99.17100%
80%
60%
40%
20%
0
Application security
Cubit score (proprietary
threat indicator) DNS health
Endpoint security
Hacker chatter
IP reputation
Network security
Password exposure
Patching cadence
Social engineering
23 INFORMATION SECURITY n SEPTEMBER 2016
HOME
EDITOR’S DESK
GOVERNANCE IN THE CLOUD
PAUL VIXIE ON DNS
CYBERSECURITY SKILLS SHORTAGE
MAKING THE GRADE
RANUM Q&A: KEVIN JOHNSON
CYBER-RISK SCORES
according to the company. After an organization enters the domain name of the
vendor that it wants to monitor, the platform develops overall security scores by analyzing data from 10 critical security factors: web application, network and endpoint security, IP reputation, social engineering, hacker chatter, domain name system (DNS) health, cubit score, patching
KEEPING SCOREInvestors are also looking at this category. Security- Scorecard—a startup co-founded in 2013 by Aleksandr Yampolskiy, the former CISO at luxury fashion retailer Gilt Groupe who has a Ph.D. in cryptography, and Sam Kassoumeh, the former head of security and compliance at Gilt—received $12.5 million in funding in March 2015,
Use Cases for Enterprise Security Ratings SECURITY RATINGS SERVICES are not widely adopted yet, but they are catching on. Gartner recommends that companies consider them for the following uses:
n Communicate more effectively with top management. CISOs can provide an independent assessment of the organization’s security posture and compare it to that of industry peers or competitors.
n Practice continuous monitoring. Organizations can use the security ratings services to deliver continuous monitoring and alerting for important business part-ners or service providers.
n Foster closer business relationships. Cloud service
buyers and organizations considering a closer re-lationship with a business partner can use security ratings services as an efficient way to evaluate their security posture.
n Show service providers in a better light. Service pro-viders can demonstrate their relative security posture to prospective customers. But keep in mind that—the way licensing deals are structured—a provider can share their score but not the scores of competitors.
n Integrate insurance company processes. Insurance companies offering cyberinsurance are increasingly using security ratings services as part of their insur-ance underwriting process. —S.Z.
24 INFORMATION SECURITY n SEPTEMBER 2016
HOME
EDITOR’S DESK
GOVERNANCE IN THE CLOUD
PAUL VIXIE ON DNS
CYBERSECURITY SKILLS SHORTAGE
MAKING THE GRADE
RANUM Q&A: KEVIN JOHNSON
CYBER-RISK SCORES
Gathering—to help you review your vendors’ compliance and answers to security questionnaires, which won’t go away with these ratings services.
Two or three years ago, a competitive market for se-curity ratings services didn’t exist. The security ratings services offer a deeper view on the security posture of vendors, according to proponents, one that can help com-panies prioritize security projects internally and get bet-ter insight into third-party risk.
While savvy security managers understand that most organizations have been under attack every day since the internet exploded in the 1990s, the Target breach was a call to action. Merit Network’s Brown has the right idea: No matter the work involved, organizations need to wake up and do something about third-party security. n
STEVE ZURIER is a freelance technology journalist based in Columbia, Md., with more than 30 years of journalism and publishing experience. Zurier previously worked as features editor at Government Computer News and InternetWeek.
cadence and password exposure. “We analyze every IP address across the internet,”
claims Sean Goldstein, vice president of global marketing at SecurityScorecard. “And through a series of honeypots and sinkholes, we have compiled a database of vulnerabil-ities around the world. From that data, we run reports on business partners and deliver a score.”
The “scorecards” can be used to interact with vendors and help them resolve potential security issues. Alerts can also be set up to advise security teams of critical issues with vendors.
Your portfolio of companies is only visible to you and others at your organization. The vendors can be filtered based on overall security grades, 30-day changes and Common Vulnerability and Exposures. If poor security ratings are noted in the 10 categories, the technology al-lows you to “dig deeper” into the issues that led to lower scores. The platform also incorporates security frame-works—the Health Insurance Portability and Account-ability Act, the International Organization for Standards, the Payment Card Industry and Standardized Information
RANUM Q&A: KEVIN JOHNSON MARCUS RANUM: The security people I know who are
good at this [job] grew up off the beaten track; they think in ways that are a little bit different. How did you get started in security? Where did you discern your interest?KEVIN JOHNSON: I actually started way back when, in the old bulletin-board-system days—connecting out to pirate boards—and I got into researching phreaking and all that stuff we would not do nowadays.
Did you read The Anarchist Cookbook?[Laughs] Of course I did! I had a friend who worked for IBM but then started a small company—what we’d now call a startup—and he called me and asked if I wanted to build stuff for him. So I was a systems administrator. Per-sonally, what I find is that most good security people start
Kevin Johnson Assesses How He Got HereThe founder and CEO of Secure Ideas tells Marcus Ranum about his inner journey, from systems administrator at a friend’s startup to ethical hacker for hire. INTERVIEW AND PHOTOGRAPH BY MARCUS RANUM
I literally had someone from human resources assigned to me. I had had so many complaints because I’d be deal-ing with a developer and I’d say, ‘I just want to know how you know to breathe regularly … because this is so stu-pid.’ And then I’d get counseled. I try very hard to work with people and to have someone else from my company around who can jump in at any time and say, ‘That’s not what Kevin really means.’
I was raised in the South, so ‘bless her heart’ is the ver-bal tic—when you catch a Southerner saying that, they’re not thinking very highly of you.
Top security people are really good at self-assessment and reflexive self-management. We’re learning our per-sonal risks and failure modes, and we think about what we do wrong; then we mitigate the personal and profes-sional risks to ourselves.
We tend to become consequentialists, too. We don’t say, ‘Don’t do this because I say so.’ It’s always ‘Do this because if you don’t, the following things could happen.’ Do you have kids? Do you talk to them like that?[Laughing] Yes! I have a 14-year-old and a 10-year-old, and we’ve just started teaching the 14-year-old to drive. It’s risk management. I say, ‘Context!’ It’s not ‘What’s the worst thing that could happen?’ It’s ‘What’s the context? If you do that, what else will be affected?’ And, yes, I talk to my clients just like that. That’s my job!
I’ve always said that security is taking your brain,
as system administrators. We like to poke at things, take things apart and learn, and automate.
For me, it’s all about having a consistency in my systems and my thinking. I want things to work the same way and it hurts me when they don’t.
What I don’t understand is whether we’re born that way, or we’re made: Some people just want to make things work, and they become systems administrators and security people.
You mentioned you have a diagnosis of obsessive-compulsive disorder?Those people aren’t born—they’re formed. But, yes, my OCD has something to do with it. When I approach a net-work or a web application or something, I feel like it’s un-balanced—there’s a sense of ‘not rightness’ that pulls my focus. I never really thought about it from that perspec-tive. But, yes, it bothers me.
When we have customers that just won’t fix things, it bothers me to the point where we’ve actually fired cus-tomers. It’s so simple and obvious: They have to fix it. And, if they don’t, I just can’t work with them.
I’ve noticed that top-notch security people tend to be very unforgiving of mistakes in themselves and in others. I always assumed that’s cross-discipline. But maybe it’s not.Yes! [Laughs] When I was at a previous employer,
‘Then you don’t want a pen test. Don’t get me wrong—I’m a greedy capitalist—but you’re not going to get any-thing out of it except feeling bad and getting a list of things to fix.’
So I directed him to a list of other options: Do a Nessus scan, check this, check that. You’re not ready for a pen test. When you’ve got your arms around all this stuff, then we can schedule a pen test.
What’s the weirdest random phone call you’ve gotten?I had a woman who believed that she was being cyber-stalked. She had this guy she worked with, and she felt that he had done something to her phone because they’d be at work and sometimes he’d reference something from in her email. It was extremely creepy. I told her to get a gun and contact HR. n
MARCUS J. RANUM, the chief of security at Tenable Network Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.
twisting it 90 degrees and using it that way. We approach the problem from a different angle. It’s not better—it’s just different. So when I talk to a developer, they are so focused on making things work. I feel like I’m trying to get them to broaden their context: Did you think about this? Did you think about that?
How has your thinking about security changed and evolved?I’ve gotten better at not telling people no. I was the ste-reotypical ‘no guy.’ Now I explain why it’s a good idea or a bad idea: If you do that, here’s what’s going to happen. My thinking has not changed much; I’ve gotten better at communicating.
One thing that surprises me is so few customers think: What if I don’t do this? Last night, I had a call with a cus-tomer who wanted to do a pen test, and they seemed to have no idea what they were doing.
‘Why do you want to do this?’ I asked. ‘Have you ever done this before?’
TechTarget 275 Grove Street, Newton, MA 02466www.techtarget.com
EDITORIAL DIRECTOR Robert Richardson
FEATURES EDITOR Kathleen Richards
EXECUTIVE MANAGING EDITOR Kara Gattine
MANAGING EDITOR Brenda L. Horrigan
SITE EDITOR Robert Wright
SITE EDITOR Peter Loshin
DIRECTOR OF ONLINE DESIGN Linda Koury
MANAGING EDITOR, E-PRODUCTS Moriah Sargent
COLUMNISTS Marcus Ranum, Dave Shackleford
CONTRIBUTING EDITORS Kevin Beaver, Crystal Bedell, Mike Chapple, Michele Chubirka, Michael Cobb, Scott Crawford, Peter Giannoulis, Francoise Gilbert, Joseph Granneman, Ernest N. Hayden, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Mike Rothman, Karen Scarfone, Joel Snyder, Steven Weil, Ravila Helen White, Lenny Zeltser
EDITORIAL BOARD
Phil Agcaoili, Cox CommunicationsSeth Bromberger, Energy Sector ConsortiumMike Chapple, Notre DameBrian Engle, Health and Human Services Commission, TexasMike Hamilton, MK Hamilton and AssociatesChris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, EquifaxMatthew Todd, Financial EnginesMacDonnell Ulsch, PwC U.S.
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
