INFORMATION Vol. 17 | No. 7 SECURITYdocs.media.bitpipe.com/io_12x/io_126299/item_1203740/SEPT...

september 2015Vol. 17 | No. 7

A FORMER CISO’S TAKE ON SMART MEASUREMENTS

WHY NO ONE SHOULD BE SURPRISED BY THE OPM HACK

FORMAL VERIFICATION: THE OLDEST NEW GAME IN TOWN

APP SECURITY DUE DILIGENCE IS ON THE RISE

HEADING OFF THE CLOUDS

DEFENSE DATA: THROWING TECHNOLOGY AT THE SECURITY PROBLEM

I N F O R M A T I O N

SECURITYHybrid Cloud SeCurity iS No CaStle iN tHe airthe traditional moat is disappearing as companies embrace new security models, from microsegmentation to perimeter controls.

2 iNformatioN security n september 2015

HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL

CYBERTHREAT DEFENSE DATA

RANUM CHAT WITH TERRI CURRAN

OPM’S CYBERSPRINT

RICHARDSON: VERIGAMES

Information Security magazine. Collaboration and communication with other parts

of the organization and end users takes on even more im-portance as enterprises rely on hybrid environments that involve a mix of cloud computing and services. “If a user has a credit card, they can deploy apps anywhere and on any cloud,” Richard Seroter, CenturyLink’s vice president of product, tells Strom. “Instead of swooping down at the end of a project with all sorts of restrictions, learn how to collaborate with operations and users upfront.”

Many business users and developers are also excited about possibilities afforded by virtual containers such as Docker. Security professionals need to stay ahead of these emerging trends because they present unique (read: scary) security challenges. “Containers can live 10 sec-onds or 10 days,” Seroter says. “And you have to know

Heading Off the Hybrid CloudsThe growing complexity of hybrid cloud security has many CIOs working to update their controls, particularly with cloud resources, which offer less visibility. BY KATHLEEN RICHARDS

editor’s desk

More companies are exploring cloud options, while struggling to find the balance between risk tolerance and evolving secu-rity models. The issue is com-

pounded because many organizations don’t know their own security baselines for services and systems, key infor-mation to have before you adopt cloud resources or work with service providers.

The growing complexity of security in these environ-ments has many CIOs and CISOs working to update their policy and controls, particularly with cloud resources, which may offer less visibility. The best strategies usually involve cloud-native or cloud-first security tools, accord-ing to David Strom, who reports on five strategies that CIOs use to improve hybrid cloud security in this issue of


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


start. Adam Rice, whose friends’, family’s and personal data may have been compromised, looks at the lack of ac-countability and information security leadership at execu-tive levels and why security professionals face an uphill climb in some government agencies.

Freelance journalist Steve Zurier spoke with Jeff Wagner, the director of IT security operations at OPM, about endpoint security, this spring. That was before the news of the massive breaches broke publicly, in June, a few days after Zurier’s original article was published. (That’s the kind of thing that keeps editors awake at night.) n

Kathleen RichaRds is the Information Security magazine features editor. Follow her on Twitter: @RichardsKath.

editor’s desk

how to assess that attack surface because it is a very dif-ferent animal.”

Complexity is an understatement when it comes to information security at companies involved in mergers and acquisitions. Increasingly security teams are dealing with the uncertainty and risks associated with protecting IP and other assets in shifting environments. Alan Earls reports on application security strategies before, during and after the M&A process as more CISOs are brought in before deals take place, to assess information security and liability issues.

Figuring out how to better protect sensitive assets is probably easier then cleaning up the mess after a major failure. So many things went wrong before the govern-ment data breaches at the United States Office of Person-nel Management (OPM) that it’s hard to know where to

http://searchsecurity.techtarget.com/feature/Endpoint-threat-detection-gets-more-response

https://twitter.com/richardskath


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


cover story: cloud security

HYBRID CLOUD SECURITY IS NO CASTLE IN THE AIR The traditional moat is disappearing as companies embrace new security models, from microsegmentation to perimeter controls.

as cios adopt hybrid-cloud strategies, some quickly learn that these environments need new kinds of security mod-els or, at least, contexts in which to apply existing con-trols and security technologies. Most organizations also find that their environments are not as simple as a pure private plus public cloud. Legacy on-premises systems, software-as-a-service (SaaS) applications, and infrastruc-ture as a service (IaaS) all come into play.

The security tools used to protect public and pri-vate cloud resources may still include perimeter-based controls like firewalls, access controls and log manage-ment, but fluency in traditional IT security only goes so far. “The nuts and bolts of the way the work gets done is different, in the sense that Spanish is different from French,” says Dave Frymier, CISO at Unisys Corp., a global IT services provider in Blue Bell, Penn. “Security teams will have to learn a new language, but they will do the same risk-analysis work they do today on premises.”

Companies such as Unisys and ING, a global financial institution headquartered in Amsterdam, are using hybrid clouds as a way to consolidate data centers. The move

By David Strom


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



clouds with on-premises servers, here are five general strategies that many CIOs have settled on to mitigate security concerns:

ratchet up user education and communication. Sticking your head in the sand isn’t really a strategy. “You can’t just become the party of no,” says Richard Seroter, vice president of

product for CenturyLink Technology Solutions in St. Louis. Parent company CenturyLink Inc., which acquired Web hoster Savvis in 2013, offers a self-service cloud or managed services at data centers globally.

“If a user has a credit card, they can deploy apps any-where and on any cloud,” he says. “Instead of swooping down at the end of a project with all sorts of restrictions, learn how to collaborate with operations and users up-front.” According to Seroter, this approach has some other benefits as well: “Security becomes a part of every customer briefing we do,” he notes. “We don’t wait for the customer to ask us about security, but instead try to take an active approach so that our clients understand the shared responsibilities we have—we try to have as frank a conversation as possible on how they secure access to their data.”

You also have to be aware of potential regulations and legal ramifications, and educate your employees. “A key part of our cloud migration strategy was working with our legal department to define a new information security

makes sense: You don’t have to provide the up-front capi-tal to house your servers, and you can rent capacity as needed and charge it to an operating budget.

Rather than invest in more real estate, you can lever-age the services and expertise of IaaS providers and rent the equipment only when it’s necessary. “IaaS has made great strides from the major cloud vendors and moved beyond the initial consumer-oriented clouds of five years ago,” says Frymier. “We now have a complete virtual in-frastructure that can be used to build secure environ-ments, with a business-class service that is a cut above the consumer versions of the past.”

Security can be built in when the consolidation hap-pens, making the cloud just as secure as a traditional raised-floor data center. The banking industry has put to-gether its own architecture and network standards, with input from early adopter ING, whose former CIO and global COO Steve C. Van Wick serves as chairman of the Banking Industry Architecture Network’s board. It in-cludes implementation guides to build in the appropriate security levels upfront.

The best strategies involve using cloud-native or cloud-first security tools, instead of forcing traditional technologies that don’t necessarily translate, such as fire-walls or intrusion prevention devices, to cover both on-premises and cloud-based environments.

Whether you are migrating internal assets, adopting external cloud services, or combining private and public

1

https://bian.org/


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



with a single login to their apps and a management portal for IT administrators.

Most SSO products now au-tomate the logins for thousands of applications. Some SSO tools such as SecureAuth, Okta, Ping and Centrify can specify MFA for particular applications as part of a risk-based authentication ap-

proach. This makes using SSO a powerful, protective tool and can secure logins better than relying on users to choose individual passwords. It also means that IT can play a more critical role in defining cloud-based assets and matching up the appropriate security levels.

start using encrypted emails and file transfers to protect your communications. As more of your communications takes place over the Internet, you need to do a better job

protecting this information, and the best way to do that is by using encrypted emails and file transfers. If you haven’t looked at either, both security approaches are now easier to use.

The International Red Cross is employing a zero- knowledge email client. This approach uses a shared passphrase to decrypt your message and for your corre-spondent to compose a reply to you. In some cases, the

framework, which was launched in early 2014,” says Ed Happ, global CIO of the International Red Cross and Red Crescent Societies in Geneva, Switzerland. In 2013, the organization extended its agreement with Microsoft to move as many as 80 of its 187 National Societies to cloud computing services, including Microsoft Office 365. The goal was to free up capacity and IT spending, and address the digital divide by providing smaller National Societies around the world with access to the same tools.

The Red Cross found that more than 95% of its infor-mation was either public or internal, and did not require additional levels of security beyond what commercial applications provided. For the remainder, according to Happ, the Red Cross put together information and made it available on its intranet to help users worldwide match the tools to their particular needs and information se-curity requirements. This included training videos and other guidelines on how to secure applications.

Use stronger authentication methods to secure cloud access. When all of your resources are just a username and password away, it makes sense to imple-

ment multifactor authentication (MFA) and single sign-on methods (SSO) to better protect these assets. The SSO tools are getting better at supporting a wider array of cloud-based applications and implementations. Typically, these products supply two URLs: a portal page for users

ed Happ

32


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



recipient can read the message by just authenticating himself with a couple of mouse clicks. After this first communication, the recipi-ent is now able to exchange en-crypted messages with you quite easily. The result avoids having to preselect a common commu-nications tool for passing secure messages. The Red Cross is also

making use of a file transfer service that encrypts files at rest and in transit. Both of these products are used in situations where the most sensitive communications are required, such as message exchanges between governing boards or other high-level work.

implement better access-roles definitions to control your virtual machines (Vms). As you deploy more virtual infrastructure, you need to up your game in terms of protecting

which users have access to the VMs. Products like HyTrust and Catbird can be used to put in place more granular access controls, so that users, for example, can run applications residing on a VM but they can’t start, stop or delete the entire VM. And what’s more, these tools can operate in both the data center and in the cloud. These technologies and others can also be used to log ac-cess, just like other security products that have role-based

access controls. “We can’t always keep you from doing bad things but we can implement role-based access con-trols carefully, so VMs can be isolated from each other and users have appropriate levels of access,” says Seroter.

prepare for the coming world of microsegmentation and virtual containers. Tools like Docker containers can help focus your resources in the cloud and more closely

target your workloads and needs. Rather than bringing up an entire VM, you can just initiate a virtual process or au-tomatically link to a series of processes for specific tasks. “Containers can live 10 seconds or 10 days,” says Seroter, “and you have to know how to assess that attack surface because it is a very different animal.”

Microsegmentation products such as FireHost can programmatically provision network services and policies for particular workloads. They can set up specific VLANs and firewalls and enforce those policies at the virtual net-work interface. “Security pros need to be ahead of these emerging trends and know their limitations and how they can be used safely,” Seroter says, “not just prevent some-thing from being deployed.” n

david stRom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.

richard Seroter

4

5

http://strominator.com/


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


APP SECURITY DUE DILIGENCE IS ON THE RISESome companies are trying to head off information security glitches before they finalize deals, with help from security officers.

By Alan R. Earls

M&A survivAl

frankenstein code. It’s the stuff of nightmares, and it’s all too common—especially in long-established enterprises. Huge system-level problems are not unusual, such as those discovered when two airlines merged and ticketing ended up grinding to a halt.

“It is so complicated because these systems are so large and [they] involve so many technologies and lan-guages that no one can fully understand them,” says Bill Curtis, senior vice president at CAST, a software analy-sis and measurement technology provider in New York. “Some people say security is separate from software qual-ity, but it’s not,” adds Curtis, who also serves as the exec-utive director of the Consortium for IT Software Quality, an international standards organization for software- intensive systems.

When companies merge, especially larger organiza-tions, the complex architecture, systems and custom-ized software that their businesses and operations depend upon need to be vetted and consolidated. This is a multi-faceted and costly task that rarely includes adequate resources for identifying Web and enterprise software


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


M&A survivAl

security gaps.“We look at business transformations like mergers

as a great opportunity, but they come with risk,” says Bethany Larson, a partner in cyber risk services at Deloitte & Touche, in the Minneapolis-St. Paul area. “From a code perspective, we typically see the most appli-cation risk in custom code; the actual developers may be long gone, usually there’s no documentation, and often there are backdoors and other security problems.”

The challenges come in many forms including material, procedural and compliance, notes Tyler Shields, a principal analyst in security and risk at Forrester Research. “Everything from secure development proce-dures to vulnerability detection, mitigation, protection, and even incident response models and procedures will likely differ significantly,” he says. And merging these procedures takes time and resources that generally aren’t available during the M&A process.

After a merger or acquisition, which often can span months if not years, IT organizations are usually under pressure to accomplish three very different tasks: keep the networks and systems running smoothly, find a way to combine and consolidate resources (systems, applica-tions and staff), and make sure sensitive data stays secure. They also have to determine which applications outsiders, such as vendors, may be able to access, which can pose critical data security problems, says Larson.

As a consequence of these issues, CISOs are increas-

ingly getting pulled into M&A evaluations. They are not only be-ing asked whether the new entity should even be allowed to con-nect to the network but also con-sulted in regards to the security of applications, notes John Pes-catore, director of emerging se-curity threats at SANS Institute, a security training organization.

One area of particular concern is the use of open source software. “There are pieces of open source in infrastruc-ture and products, and experience has shown that open source is actually more vulnerable,” he says.

Licensing and ip mattersAn acquirer needs to make sure the target company has licensed and paid for its operating systems and software. Discovering hundreds of illegally operated desktops re-stricts your ability to update and patch security flaws, Pescatore says.

More emphasis is now being placed on scrutinizing licenses and IP ownership during the M&A process, agrees Shields. “This due diligence is required to ensure that you aren’t taking on any additional legal liabilities with the software you are acquiring.”

Have your security team go through a maturity as-sessment of the target company’s software development

John Pescatore


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


M&A survivAl

penetration tests and security audits. However, you’ll typically face significant pushback from the M&A target when it comes to obtaining this information, claims Jacob Olcott, vice presi-dent of business development for BitSight Technologies in Cam-bridge, Mass., which provides a security ratings service for cli-

ents. It can also be challenging to identify any previous cybersecurity incidents that may devalue the information assets being acquired, such as intellectual property or trade secrets. “Any acquirer will want to factor future IT and IT security expenditures into the price of the acquisi-tion,” he says.

making it aLL WorkStephen Cobb, a senior security researcher at San Diego endpoint security provider ESET North America, says to make the merger process work well, both sides should review their risk management and application security processes.

A good place to start is by assessing your own security posture:

n What is your current risk management strategy and is it backed up with policies and controls?

lifecycle. “Don’t just ask their people if the software is secure; ask for documentation and consider testing it for vulnerabilities,” advises Shields. Tools can help. Applica-tion security providers such as Cigital Inc., Veracode and WhiteHat Security, offer a range of vulnerability testing services.

Most applications flaws are relatively minor; they sim-ply haven’t been addressed, says Curtis. But there can be exceptions. Thus, implementing both static and dynamic testing of applications before or after a merger is a good policy, in areas where there are security concerns.

However, subtle and potentially dangerous issues may escape testing or superficial analysis. “Some of the big-gest glitches are driven by misunderstandings about how things operate, perhaps because organizations define functions or terms differently, and that can contribute to hacker exploits,” he says.

Nor is it simply a problem with older “legacy” code. General security issues in the software industry have existed for decades, but companies also face new chal-lenges. “Many of the people writing code today are self-taught and [they] haven’t been exposed to software engineering concepts and best practices,” says Curtis. “I don’t see the problem getting better any time soon; we are now getting into ‘systems of systems’ that not even a team of humans can understand.”

Companies can perform a variety of risk assessments, from written questionnaires and on-site interviews to

tyler Shields


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


M&A survivAl

“After thinking about those things, you should then approach the other entity with a view that you have to ask them about everything,” Cobb says. “And then plan to make an inventory of everything they have and how it works.” (See: What to Keep.)

There’s still too little appreciation of the growing complexity of cloud assets that come with a merger, according to SANS’ Pescatore, who says these applica-tions include not only IT-controlled resources, but the

n Does your organization have strong IT security governance in place? n Are your own systems, including websites and

enterprise applications, as secure as they should be? n How robust is the authentication system for all of your

resources? Are you using two-factor authentication in the right places, or across all systems? n What is your disaster recovery plan? How recently

has it been tested and reviewed?

What to Keepthe company that gets acquired is usually transitioned to the systems and software of the other organization, whether it’s enterprise resource planning or email. but not always, says John pescatore, director of emerging security threats at saNs institute, a security training organization.

“to some extent this question boils down to having the capabilities to manage a heterogeneous environment,” he says. “for example, there are prod-ucts out there such as algosec that can help you man-age multiple firewalls.” but retaining “extra” applications ultimately means you could end up paying for twice as much capability as you need.

and if you are hanging on to someone else’s favor-ite application, think about the new entity’s it staff and what they can realistically handle. sometimes, compa-nies just start cutting headcount in a merger without looking closely at the skills they require. “you need to make sure you already have or can retain people with skill sets relevant to your newly enlarged infrastructure,” pescatore says.

bug bounty programs, which are gaining in popular-ity, can also be helpful. if the acquired organization has a vulnerability rewards program, consider the benefits of continuing it, especially if you have the resources to manage a bug bounty program. —a.e.


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


M&A survivAl

“The other merger task that we see as critical is to have a view of the security threat through the whole cycle of the merger—you need to avoid disconnects,” cautions Larson. She says it is easy for employees or business units to take over during the M&A process, which can upset the proper balance between providing access and sound security. “A merger is a chance to take control of data and to try to limit the roles that may have accumulated in both organizations,” she explains. Thus, the merger can provide a chance to redesign those roles and permissions based on the new business, and implement other useful changes such as standard naming conventions.

Finally, it’s important remember the necessity of ap-plying similar risk-management and security processes if your organization spins off a new entity. “Almost all the same concerns and processes apply there,” Larson says. n

alan R. eaRls is a freelance journalist based near Boston. He focuses on business and technology, particularly storage, security and the Internet of Things.

software-as-a-service assets used by business units and individual departments, such as Box and Salesforce. Each deployment could contain potential vulnerabilities. “Sometimes, the IT people don’t even know about these things,” he adds.

It’s also essential to be methodical and patient as the M&A process unfolds. Companies rarely complete a merger of IT systems as a “big bang,” notes Deloitte & Touche’s Larson. Usually organizations need to step back and think about how they have been defining risks and using data types, and then decide what software is the best option, she explains.

Larson recommends looking at all the applications and prioritizing your work based on their risk issues. “If something represents a low risk, it is easier to just leave it alone, but if it could involve high risk, based on external threats to your company or on the number of users, it is smart to concentrate there,” she says. Similarly, deciding whether to combine systems, run them in par-allel or some other option should be based on a risk assessment.


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


cyberthreAt defense dAtA

Throwing Technology at the Security ProblemCompanies continue to invest in an array of tools, but trouble with users, lack of budget and too much data are inhibiting these defenses.

IT’s Perception of Current Security Posturerate your organization’s ability to defend against cyberthreats in each of the following areas from 1-5 with 5 being the highest:

N=801 it security professioNals; source: 2015 cyberthreat DefeNse report, North america aND europe, cybereDge group

3.523.473.45

3.143.103.08

2.992.93

2.812.75

Data center / physical servers

Data center / virtual servers

Network perimeter / DmZ (Web servers)

cloud infrastructure (iaas, paas)

Web application (custom built)

cloud application (saas)

Desktops (pcs)

laptops / notebooks

social media applications (facebook, twitter)

mobile devices (smart phones, tablets)

Little difference perceived by IT in the organization’s ability to protect homegrown Web apps and cloud-based applications and services (IaaS, PaaS, SaaS).


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT




Network Security Technologies in Use, and Planned for Acquisition Which of the following technologies are in use or planned for acquisition in the next 12 months to guard all network assets against cyberthreats?

76%

69%

59%

56%

54%

53%

51%

45%

43%

16%

22%

22%

28%

32%

27%

31%

33%

22%

Network-based antivirus

intrusion detection/ prevention system (iDs/ips)

Denial of service/distributed denial-of-service (DDos)

security information and event management (siem)

Next-generation firewall

advanced malware analysis / sandboxing

Data loss / leak prevention

security analytics / full-packet capture and analysis

threat intelligence service

n curreNtly iN use

n plaNs for acquisitioN


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



Endpoint Security Technologies in Use, and Planned for AcquisitionWhich of the following endpoint technologies are in use or planned for acquisition in the next 12 months to guard desktops, laptops and servers against cyberthreats?


antivirus/antimalware (signature-based)

Disk encryption

application control (whitelist/blacklist)

advanced malware analysis/sandboxing

Data loss/leak prevention

Digital forensics/incident resolution

self-remediation for infected endpoints

containerization/microvirtualization

One-third of respondents currently used containerization and microvirtualization, which ranked highest for planned acquisition in both the endpoint and mobile categories, pg. 16.

82%

64%

63%

53%

51%

46%

42%

34%

14%

22%

22%

26%

29%

29%

28%

31%

n curreNtly iN use



HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



Mobile Security Technologies in Use, and Planned for AcquisitionWhich of the following mobile technologies are in use or planned for acquisition in the next 12 months to guard mobile devices (smartphones and tablets) and corporate data access by mobile devices against cyberthreats?


VpN to on-premises security gateway

mobile device/application management

Network access control

mobile device file/data encryption

mobile device antivirus /antimalware

Virtual desktop infrastructure

VpN to cloud-based security gateway

containerization/microvirtualization

n curreNtly iN use


55%

50%

50%

47%

45%

44%

43%

21%

24%

32%

27%

29%

29%

28%

25%

39%


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


3.223.15

3.103.05

3.012.98

2.902.892.87

2.70


Other Inhibitors to Cyberdefenserate how each of the following inhibits your organization’s cyberthreat defenses, from 1-5, with 5 being the highest:


low security awareness among employees

lack of budget

too much data to analyze

lack of skilled personnel

lack of management support / awareness

poor integration / interoperability between security solutions

inability to justify additional investment

lack of contextual information from security tools

too many false positives

lack of effective solutions in the market

top concern 1 Getting users to stay out of trouble

top concern 2 Lack of budget

top concern 3 Too much data to analyze

1

1

0

1 00

1

01

0


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT

RICHARDSON: VERIGAMES Risk management metrics on third par-

ties, such as the number of vendors that have access to company infor-mation, are usually an eye opener to boardrooms, says Terri Curran, senior

security consultant at CGI Group Inc. Information security metrics should concentrate on

three areas—risk management, compliance and inno-vation efforts. But trying to do too much at the start of a metrics program is a common misstep, acknowledges Curran, a 40-year InfoSec veteran, who performed the CISO function for 19 years at The Gillette Company and for seven years at Bose Corp.

Curran holds Certified Information Privacy Profes- sional (CIPP), Certified Information Security Manager (CISM), Certified Information Systems Security Pro-

fessional (CISSP), Certified Protection Professional (CPP) and Certified Risk and Information Systems Control (CRISC) certifications. She earned both a bachelor’s and master’s degree in security management from American Public University System, and she is currently a doctoral candidate at Nova Southeastern University, where she is specializing in InfoSec training standardization.

She served on the Computer Security Industry (CSI) advisory board from 2007 to 2014. (CSI was absorbed by UBM in 2011.) Marcus Ranum caught up with Curran to discuss how to make metrics work for a broader audience.

marcUs ranUm: Let’s talk about metrics—the most boring topic in computer security, behind configuration management … and everything else. When the topic comes up, I often experience this dialog:

A Former CISO’s Take on Smart MeasurementsSecurity metrics may be lost on some executives, Curran says. Wake them up with a contemporary portfolio that can’t be ignored.

chAt with terri currAn


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



Based on years of metrics mistakes and successes, I think the most useful, current metrics illustrate risk manage-ment, compliance and innovation efforts. Some of these metrics are absolutely time-based, some are not (particu-larly in the ‘innovation’ category). I think you need a mix of time-based, results-based and forward-looking metrics to explain your InfoSec posture and avoid the rolling eyes in the boardroom.

The old SMART (specific, measurable, actionable, relevant, timely) yardstick can be used very effectively to start the metrics definition process in any of the three categories. In addition to being SMART, metrics must be easy to manage or track. They need to be multipurpose and multidimensional.

Metrics also need to be reported on by the people who do the work on them. If the IT or data center people are doing all the malware remediation and patching, they should be the ones reporting on that (proudly) as part of their role in the security program. The CISO shouldn’t require them to provide monthly status reports that roll up into her report. Let the IT folks take credit for their hard work, and let the CISO innovate some new metrics. At the end of the year, the IT leader can provide a sum-mary that is included in the CISO’s annual security report with proper acknowledgement. Other business units can do the same with their InfoSec-related metrics to illustrate their commitment and support for the InfoSec program.

“You should keep metrics.” “What metrics should I keep?” “I don’t know—it’s specific to your enterprise.” “Isn’t there a ‘top 20’ metrics list?”

How do you make the connection between theoretical and operational usefulness? How do you respond when someone asks about the top 20?

terri cUrran: I love talking about InfoSec metrics: I absolutely believe that metrics discussions can explode into ideas and innovation. I also believe that metrics are boring because a lot of them aren’t relevant to today’s executive boards. I’ve been in boardroom meet-ings where as soon as the CISO’s metrics presentation flashed on screen, eyes rolled heavenward and email was surreptitiously checked.

Don’t get me wrong: Metrics are important. But metrics, like security itself, have to evolve with the times. Is there a top 20? Sure, there can be for any organization.

In my experience, the most useful metrics are often ones that quantify time spent on stuff. I’m never sure if that’s because establishing such metrics entails doing some business process analysis, or if it’s just that time metrics tend to be a useful yardstick for effort and ex-pense. What’s your experience?


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



Of high interest to me is keeping track of the number of external audits that are planned or in pro-cess, and the hours and resources needed to support them. That’s an old metric but still very valid and valuable.

Lately, my favorites are innovation metrics. Physical and InfoSec programs need to grow

and evolve. We can use metrics to generate and illustrate forward-thinking activities and ideas.

Not all innovation ideas will become reality—but that’s a metric in itself, isn’t it? On a monthly basis, for example, the security team can have an innovation dis-cussion and come up with ideas that are of benefit from a professional and personal perspective. I’ve seen some re-ally wonderful things come out of innovation discussions that breed even better metrics. Here are a few examples: having a ‘shred day’ where employees can bring docu-ments in for safe disposal—that illustrates good security awareness, generates metrics on the number of employ-ees participating and even the total number of pounds shredded (good corporate social responsibility). Or offer training sessions on free malware software and track em-ployee participation. I’ve heard anecdotally of companies that create security-awareness presentations for employ-ees to take home and share with their kids. I also like to

Of course, the number of phishing and malware at-tempts, patches applied—all the technology-based met-rics are great. But I’d like to think of risk-management metrics in broader context. For example, a great risk-management metric might be the number of third par-ties with access to company information, the number of third-party risk assessments conducted, and number of third parties protecting information properly. Many com-panies still haven’t considered third-party risk assessment as part of the metrics portfolio, and executives seem to be surprised about the number of vendors and others that have access to their information.

Another risk-management metric might be the num-ber of proactive activities taken to stay current with laws, rules and regulations (webinars, updates from advocacy groups or legal papers). Some of my favorite metrics in this area are outreach activities. If you’re in regular con-tact with your local law enforcement and public safety officials, it’s a great physical, security, risk management and innovation metric. My point here is that metrics can be people-centric as opposed to technology-centric.

Compliance metrics are pretty straightforward based on the external contractual and regulatory compliance requirements of the organization. PCI DSS, NIST 800-53—lots of requirements provide great metrics as part of execution. Measuring internal compliance to InfoSec policies is easier now because of monitoring technolo-gies like data loss protection that are technology-centric.

terri Curran


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



I used to be dismissive of risk management because it often seems to be a case of ‘garbage in, garbage out.’ But when I started digging into metrics, I realized that the only way that you can actually make any sense of this stuff—and reduce the garbage level—is to start measuring things. Where do you start? If you were building a metrics program from scratch, what are the first steps?

I developed a rudimentary worksheet for metrics devel-opment that might explain my approach to identifying ‘value-add’ metrics (see page 22). It also can be used as a resource-planning tool or as input to a RACI [responsible, accountable, consulted and informed] model.

The metric itself needs to be measured as either qualitative (narrative in this section) or quantitative (percentages or other numeric value). The most impor-tant part of this worksheet is: What is the question being answered? If there’s no question that’s of interest, then the metric really isn’t worth chasing. Data sources could be tools used or surveys issued; and the last two columns are pretty straightforward.

The first place to start is the compliance require-ments. Then I’d tackle risk management metrics and, finally, innovation metrics. It’s a maturity curve that can build out gradually. And don’t forget to keep metrics on metrics: We created and reported on five new metrics last month.

show ‘number of business unit meetings held to discuss security issues.’ The best thing about innovation met-rics is that if 10 are generated in a month, but only three come to reality, so what? You’re still showing innovation.

It seems to me that a lot of enterprises are getting shellacked by malware and basic phishing attacks. When I see that, my assumption is usually that they don’t actually understand how badly it’s hurting them because they need metrics. What are some of the things you’d measure in order to explain to senior management the impact of malware and end-user computing prac-tices on the organization?

Some organizations have an appetite for social engineer-ing and phishing tests, and these are great metrics to measure employee awareness—and [they] present great input for training programs as well. I think we need more illustration for management to benchmark how their or-ganization compares to others in their industry. Metrics can be used to show maturity gaps (or, even better, good posture). I wish there was an external monthly report or digest, which I could show senior leaders, that indi-cates by industry, or sub-industry, how many malware and phishing attacks were reported in a given month, and how the company stacks up against those reports. That would be a huge win. If you know of a resource like that, let me know, please!


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



Well, how about five of each to start? Some of them we’ve already talked about, but here are metrics I’d be looking for if I were concerned about protecting my company’s information and physical assets:

risk-management metrics1. Third-party risk assessments performed2. Number of internal and external audit findings

issued (with current status—in process, completed and so on)

3. High-level data leak prevention statistics (could also be considered a compliance metric)

4. Benchmarking to similar industries based on analyst, vendor reports

What’s the biggest mistake people make when they are starting a metrics program, and how should they avoid it?

I have been guilty of probing too deeply into InfoSec met-rics and looking for a complete portfolio to start, trying to add too many items at once. I’ve learned that the best metrics show the value of the InfoSec program to the company as well as to external regulators and auditors. Trying to accomplish too many metrics for the sake of metrics is a failed effort before even starting.

OK, we talked about the top 20. I’m putting you on the spot: What are your current faves?

Curran’s Worksheet for Metrics Development

Metric (qualitative/quantitative)

What is the question being answered?

Data sources and tools used to generate metric

Reporting frequency

Why is this metric SMART? (specific/measurable/attainable/realistic/timely)

source: terri curraN, cgi group iNc.


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT



I often hear computer security people say that security doesn’t know how to talk to executive management or business units. What do you say to that?

That’s a great question. My first response is this: Don’t talk. Listen. Yes, I know, this sounds obvious and a little snarky. But we often don’t listen enough to our colleagues in the business side of the organization.

So now to the serious answer: Talk less about technol-ogy and more about people-centric risk management. Re-member that people want their organizations to be safe and successful and [they] want to feel they are part of this effort. Appeal to their protective instincts without being alarmist. Gain their confidence by showing sincere inter-est in how their business process integrates with security. These are great ways to get conversations flowing and build their trust. n

maRcus J. Ranum, CSO of Tenable Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.

5. Number of vendors with access to restricted, confi-dential or regulated information (with trending)

compliance metrics 1. Patches applied and all the usual IT-related topics2. Policy exceptions requested and granted3. Schedule of compliance activities with trending

(increase is likely)4. Number of contracts reviewed for security or privacy

concerns (could also be considered risk management)5. Number of regulatory or contractual research hours

conducted to stay on top of upcoming changes

innovation metrics1. New ideas generated (with brief explanation)2. Ideas approved for moving ahead3. Outreach meetings initiated (business units)4. Outreach meetings initiated (external agencies,

regulators, interest groups; could also be considered in risk-management category)

5. Personal and professional development outreach (certification guidance, new certifications acquired)


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


oPM’s cybersPrint

By Adam Rice

WARNINGS, NEGLECT AND A MASSIVE BREACH Why no one should have been surprised by the U.S. Office of Personnel Management’s hack.

shocked that the massive OPM breach reported earlier this year actually happened?

When compromised passwords at the United States Office of Personnel Management led to an epic breach, exposing the data of 22 million people, it raised the ques-tion: How can an organization, whose information secu-rity is managed without accountability and oversight from its leader ship, be expected to tackle national cybersecu-rity risk at this level of complexity?

Like other federal departments, OPM is a mono- lithic agency run by politically appointed leaders who simply lack the expertise to make smart decisions about cybersecurity. More importantly, most directors in the U.S. government do not have the people within their organizations who are empowered to make changes, and many staff members are, simply, not right for jobs that require security and risk management. A CIO or CISO in the U.S. government is typically a Senior Execu-tive Service (SES) Level 3 position, which pays $168,000 annually with few incentive bonuses and no stock op-tions. An equivalent CISO role, in a company the size of


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


OPM—which houses data from employment records, background checks and fingerprints for all past and pres-ent federal employees and jobseekers—would come closer to $400,000 in total compensation. Bringing outside talent into the government at this level is chal-lenging, and it’s not only the discrepancy in pay. Hiring directly into the SES requires an independent board of inquiry into the candidate’s five “Executive Core Qualifications,” developed (ironically) by the OPM:

n ECQ1 Leading change n ECQ2 Leading people n ECQ3 Business acumen n ECQ4 Results driven n ECQ5 Coalition building

The process is long, frustrating and, in the end, mys-terious. (I applied to be the CISO at the Department of Commerce, was given a conditional letter of employ-ment, but declined after months of waiting for the ECQ board to meet or even tell me what I needed to provide to them.)

risk toLeranceWhat happened at OPM can happen anywhere when you are dealing with an advanced threat like a PRC-sponsored intelligence group with state-of-the-art at-tack techniques and tactics. It’s only when the leadership

of an organization appre-ciates those risks that they can authorize their IT secu-rity department to develop and deploy an active defense against these unrelenting threats. In the private sector, cyber risk is the No. 1 item on most corporate boards’

minds. The directors are pressing CEOs to explain how they are getting in front of cyber risks. That in turn drives investment in quality tools, people and processes that are commensurate with the organization’s cybersecurity risk tolerance.

Not all organizations carry the same risks. Companies in the high tech, defense or aerospace industries have been historical targets of advanced adversaries; by now, most of these companies have made what is considered a reasonable investment in their cybersecurity organiza-tions. In many enterprises, major security funding comes after a breach, or a high-profile incident in a company just like theirs. Organizations that are at lower risk for criminal or state-sponsored cyberintelligence groups may adopt a strategy that allows higher risk tolerance, and less investment in security programs.

The point is that how to stop, or slow down these at-tacks is no longer a mystery; the expertise and technolo-gies have matured to the point that there is a blueprint

oPM’s cybersPrint


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


oPM’s cybersPrint

that can effectively prevent or minimize the kind of attack that occurred at OPM. Many companies and some government organizations are deploying effective defenses against most of the risks they face, including advanced persistent threats (APTs).

What is the difference between those organizations and OPM? Accountability and leadership. OPM cannot be sued; it will not be fined, and over time, if everyone hunkers down and waits for the storm to blow over, it will get back to some old ways of doing business.

Although Katherine Archuleta, OPM’s director, resigned after political pressure, there is a big rush to address some of the major flaws in the OPM systems reactively; this means the underlying organization and cultural issues are going to be harder to change.

Layers of managementA review of the OPM website shows an organization with a large management layer of senior advisors to the direc-tor, and a hierarchy that is not in line with the approach many companies are taking when it comes to cybersecu-rity. The new acting director at OPM, Beth Cobert, has 62 senior leaders in four groups reporting to her. Within one of the groups, called Support Functions, is the CIO, Donna Seymour, who has 28 staff listed in her direct or-ganization, and four direct reporting organizations, none of which are security focused. There’s a reference to an IT Security Policy and an IT Security Operations Center, but

the CISO function (if there is one) is not listed.Seymour is a 34-year career government worker, with

a mix of policy and IT management roles at the Depart-ment of Defense, among other agencies. While she has a degree in computer science and long history in informa-tion technology, cybersecurity is not part of her bio.

The Office of the CIO is responsible for the cyberse-curity of the OPM’s IT infrastructure. Despite an upgrade from “material weakness in information security gov-ernance” to “significant deficiency” based on a planned reorganization of the Office of the CIO, a DHS Federal Security Information Management Act (FISMA) Audit for FY 2014 conducted by the Office of the Inspector General (OIG) found serious flaws in the network and the way it was managed. The OPM lacked an inventory of systems and baseline configurations, and 11 servers were operating without valid authorization (ATO). The auditors could not independently verify OPM’s monthly automated vulnerability scanning program for all servers. Another notable finding was a lack of a senior informa-tion security professional to own the security of the network—a role that is typically filled by a CISO.

The status of the reorganization of the Office of the CIO is unclear. Based on earlier FISMA audits and recommendations, OPM is moving toward centralized management of security with information system secu-rity officers (ISSOs) reporting directly to the CISO organization. The individuals in these positions will have


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


oPM’s cybersPrint

multifactor authentication strategy, had poor manage-ment of user rights, inadequate monitoring of multiple systems, and an ineffective and decentralized cybersecu-rity organization. The sensitive data was unencrypted at rest, and stored in old database systems that were vul-nerable. (It turned out, contrary to U.S. law, OPM used contractors from China to manage some of its databases.) Many machines were unpatched. All of these deficiencies have been pointed out to OPM over and over again, since the FISMA audit in FY 2007.

professional security backgrounds, according to the re-port. In FY 2014, OPM had four ISSOs for 17 of the agen-cy’s information systems, with 10 additional positions authorized.

The FISMA FY 2014 report, which Seymour signed on October 21, 2014, cautioned OPM that the systems were dangerously underpatched and vulnerable to security is-sues. The report was not technically detailed, but after the incidents, it’s clear that OPM was aware it had seri-ous IT security problems. It lacked an effective PIV and

Security Not on the OPM Org Chart

source: WWW.opm.goV

IT Strategy and Policy

Federal IT Business Solutions

Enterprise Infrastructure Solutions

Federal Data Solutions

Chief Information Officer


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


oPM’s cybersPrint

force an accelerated remediation plan. The OIG FY 2014 audit noted that OPM still needs to “fully establish” an executive risk function.

As expected, there is massive post facto effort to clean up years of poor IT management and the lack of invest-ment in people and processes. This “30-day Cybersecu-rity Sprint” ordered by the Obama administration across all agencies is going to apply fixes on the big issues. But, without a strong foundation, time and lack of attention could make this investment futile in the long run. Cyber- security is a journey. The threat landscape changes, the tools and processes evolve, and rules and regulations change. OPM, and the government as a whole, need to invest in professional security executives and em-power those individuals with real authority within their organizations.

A CISO with a mandate to bypass organizational apa-thy and expose the risks to decision makers is going to be hard to find in the government, but until this is figured out, many government organizations are going to con-tinue to struggle with a cycle of apathy, crisis, and then sprinting to catch up again. n

adam Rice is the CISO of Cubic Corp. In the past 17 years, he has served as CISO of Alliant Techsystems; CSO of a global telecommunications company; general manager and vice president of a managed security services business, and director in several network consulting companies.

motiVated adVersaryIn retrospect, given the epidemic in state-sponsored hacking around the world, the consequence of a success-ful hack on OPM data should not be a surprise. The OIG report even said that there would be a national security impact if OPM was hacked. The signs were all there: It had the vulnerabilities, no security focused leadership, and a capable and motivated adversary.

So what happened in the period between the last OIG report and the discovery of the data loss? Not much. The compromise was noticed in April 2015, just six months after the OIG report, and evidence suggests that the compromise was ongoing much earlier. Social security numbers, security clearance information, fingerprint data were all lost. The adversaries, believed to be the Chinese, were able to steal millions of sensitive files. Given the findings of the report, and the capabilities of the Chinese APT groups, this should not have surprised anyone.

In any large private organization, the CEO, the CIO and the CISO would be held accountable by the board of directors. In the end, Katherine Archuleta, OPM’s direc-tor, whose only qualification for the job was her role as the national political director of President Obama’s 2012 re-election campaign, resigned. Seymour, whose pri-mary job was to advise Archuleta on IT and manage risk on the IT systems, is still employed as the CIO of OPM, which is amazing. She was unable to address the real risks to OPM’s data or articulate those risks to the director to


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT

RICHARDSON: VERIGAMES FormaL Verification is one of those things

we don’t talk much about in mainstream information security circles. If we could get it to work on a broader scale, beyond system design, we could prove—literally—

that various pieces of software were free from security vulnerabilities. The desire to do this dates back to code-breaker Alan Turing, but proof of correctness against for-mal “behavior” specifications gained attention in 1967, when computer scientist Robert W. Floyd published groundbreaking research, Assigning Meanings to Pro-grams. (Don’t follow that link unless mathematical proofs of program specifications intrigue you; more digestible is this “gentle introduction to formal verification.”)

Multiple approaches to verification exist, but Floyd’s, as refined by C.A.R. Hoare in 1969, was particularly

useful early on; it was possible to formally prove—in the same sense that you create proofs in geometry—that a small section of source code was bulletproof.

The fundamental problem is that formal verification requires that all the possible conditions or logic branches of a piece of software be stated and then tested to ensure they don’t cause behavior that breaks rules, which must also be formally defined. Against this set of statements (or, depending on your approach, finite state tables), data sets that represent all the possibilities for input (including illegal input) have to be tested.

The difficulty is that creating these algorithms is too time-consuming and expensive. Because it’s a manual pro-cess that requires expertise, it’s also hard to scale. And for-mal verification has, over the years, resisted automation.

This is not the same thing as fuzz testing, where you

Formal Verification Is the Oldest New Game in Town Security gamification puts formal verification back in play. BY ROBERT RICHARDSON

verigAMes

http://www.eecs.berkeley.edu/~necula/Papers/FloydMeaning.pdf

http://www.eecs.berkeley.edu/~necula/Papers/FloydMeaning.pdf

http://www.di.ens.fr/~cousot/publications.www/CousotCousot-Marktoberdorf-2009.pdf

http://searchsecurity.techtarget.com/definition/fuzz-testing


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


verigAMes

pUzzLing LogicPlaying Binary Fission isn’t like winning a popular first-person shooter game. It’s a more abstract, puzzle-based challenge. The goal is to sort atomic particles in as few steps as possible, but it’s not easy. You’re presented with a collection of tan and blue balls, inside a circle. You have a large choice of “filters,” represented by pentagonal shapes of differing sizes (See: Security Gamification.) You choose one, and the contents of the atoms are split into two separate circles with the tan and blue balls in them.

may find some inputs that cause the software to break, but you haven’t proven there are no inputs that will cause a fault. With formal verification, you don’t know in ad-vance how many tests are required, but when you’re done, the proof is finished, Q.E.D.

croWdsoUrcing VerificationFor two years now, DARPA has been funding a program to crowdsource all that analysis testing. The trick has been to make games of it. You can see the games for your-self (and sign up and play them) at verigames.com.

Five game-design teams have joined the project, each team comprising several organizations. John Murray, the program director of the computer science laboratory at SRI International, is the leader of one of the teams, which also includes members from the University of California at Santa Cruz and the Commissariat à l’énergie Atom-ique, in Saclay, France.

Murray’s team recently launched their second game, dubbed Binary Fission. “You want to take very small pieces of the testing and turn those into activities,” he says. “Players solve puzzles, and in the process of do-ing that they’re contributing to just a little slice of the problem.”

The point, Murray says, is not to automate the finding of the final proof but to assist the verification specialists by getting the vast quantity of small tests out of the way with less direct effort.

source: biNary fissioN, WWW.Verigames.com

Security Gamificationformal verification of software is crowdsourced with games like binary fission.

http://verigames.com/


HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


verigAMes

actors to find vulnerabilities? Because, after all, not being able to prove that a section of code is sound is in effect finding something about it that makes it insecure.

It’s not worth the trouble if hacking is the intent, ac-cording to Murray: “You might be better off using your resources in some other way,” he says. “Maybe you pay to compromise people involved to provide you with the source code.” Or you use the funds to outsource DDoS attacks or to buy zero-day vulnerabilities from other re-searchers. As always, defenders bear the burden of com-pleteness, while attackers just need to find a single forgotten detail.

Formal verification was sidelined in the earliest days of computer security because it was impractical. This led to a long infatuation with tools for perimeter defense that created no incentives to get our primary, business-criti-cal software up to snuff. Programs like Binary Fission give us a glimpse of a possible way to train our attention back to fundamentals of getting stuff right in the first place. Like so much else in the Internet world, crowdsourcing offers new ways to organize huge projects into bite-sized chunks. n

RobeRt RichaRdson, is the editorial director of TechTarget’s Security Media Group. Follow him on Twitter: @cryptorobert.

If all the blues are in one circle and all the tans are in the other, then you’ve finished that round.

Some of the early filters that seem very effective turn out to put you in situations where the final sort can’t be achieved in the number of available rounds. The logic behind the game is confusing because you don’t know what the filters are actually doing; all you see is the result, so when you’re stuck you back up and try some-thing else. It’s not a thrill-a-minute, but it’s surprisingly mesmerizing.

Or at least that’s how it went for me. There may be logic there that I’m just not seeing, but I suspect that part of the point is that you don’t know what you’re test-ing in terms of specific code or input values. After all, sorting the atomic particles is a puzzle. Shooting your way through a game level is about fast physical reaction against targets you’ve seen before. “These types of puzzles don’t lend themselves to that genre,” Murray says.

miLitary fUndingSo what kinds of software are being tested behind the fa-çade of these games? Murray points to medical equip-ment and stock exchange systems. “It is the case that the funding is coming from DARPA, but the applications have very broad applicability,” he says.

Can crowdsourcing via gaming be used by malicious

https://twitter.com/cryptorobert


TechTarget Security Media Group

HOME

EDITOR’S DESK

HYBRID CLOUD

M&A SURVIVAL



OPM’S CYBERSPRINT


TechTarget 275 Grove Street, Newton, MA 02466www.techtarget.com

eDitorial Director Robert Richardson

features eDitor Kathleen Richards

eXecutiVe maNagiNg eDitor Kara Gattine

associate maNagiNg eDitor Brenda L. Horrigan

site eDitor Robert Wright

Director of oNliNe DesigN Linda Koury

columNist Marcus Ranum

coNtributiNg eDitors Kevin Beaver, Crystal Bedell, Mike Chap-ple, Michele Chubirka, Michael Cobb, Scott Crawford, Peter Giannoulis, Francoise Gilbert, Joseph Granneman, Ernest N. Hayden, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Mike Rothman, Karen Scarfone, Dave Shackleford, Joel Snyder, Steven Weil, Ravila Helen White, Lenny Zeltser

eDitorial boarD

Phil Agcaoili, Cox CommunicationsSeth Bromberger, Energy Sector ConsortiumMike Chapple, Notre DameBrian Engle, Health and Human Services Commission, TexasMike Hamilton, MK Hamilton and AssociatesChris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, EquifaxMatthew Todd, Financial EnginesDon Ulsch, PwC U.S.

Vice presiDeNt/group publisher Doug [email protected]

Stay connected! Follow @SearchSecurity today.

© 2015 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written per-mission from the publisher. TechTarget reprints are available through The YGS Group.

about techtarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and vir-tual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COvER IMAGE AND PAGE 4: CHRIS ALAN WILTON/GETTY IMAGES

mailto:[email protected]

https://twitter.com/SearchSecurity

http://reprints.ygsgroup.com/m/techtarget

Date post:	28-May-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

INFORMATION Vol. 17 | No. 7 SECURITYdocs.media.bitpipe.com/io_12x/io_126299/item_1203740/SEPT...

Documents