Vous êtes sur la page 1sur 38

LETS MOVE FORWARD BY STEPPING UP

InfoSecurity

PROFESSIONAL

JULY/AUGUST 2016

A Publication for the (ISC)2 Membership

KNOW THY

ATTACKER

BY DISABLING THEIR KILL CHAIN


also
5 MINUTES WITH
JASON SACHOWSKI

RANSOMWARE RECOVERY
CLOUD COST SAVINGS
A MEMBERS CYBER THRILLER

InfoSecurity Professional 1 July/August 2016


isc2.org

RE TURN TO

facebook.com/isc2fb

CONTENTS

twitter.com/ISC2

Top Reasons to Attend the


FOCUS 16 Intel Security Conference
November 1-3 in Las Vegas

ARIA Resort and Casino

Hear Special Guest Keynotes,

Including Ted Koppel

Engage With Our Leaders


Interact With an Ecosystem
of Security Companies

Anticipate The Next Threat


with McAfee Labs

Jam With the Goo Goo Dolls


Build Your Arsenal with

Case Study Successes

Quantify ROI of Security-

Based Outcomes

The Market Dynamics


of Cybersecurity

Save $100. As an ISC2 member, you can save $100 o

your registration by using promo code FOCUS16 when registering!


To learn more visit us at www.focus.intelsecurity.com/Focus2016
Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks
and brands may be claimed as the property of others. Copyright 2016 Intel Corporation.

Contents

VOLUME 9 ISSUE 4

DEPARTMENTS
4

EDITORS NOTE

Why Reading is
Still Fundamental

BY ANNE SAITA

EXECUTIVE LETTER

Lets Move Forward


By Stepping Up

BY WIM REMES

FIELD NOTES

Introducing the
organizations new
IT executive; member
discount for cyber risk
analysis tool; preview of
Security Congress; this
years GISLA recipients;
a successful U.K. road
show; recommended
read; spotlight on
Singapore chapter;
and more.

What to consider in a cloud


cost analysis. PAGE 28

FEATURES
TECHNOLOGY

18

Seven Steps to Enhance Your Cyber Defense

How Lockheed Martins Cyber Kill Chain can decimate the attacker.
BY CRYSTAL BEDELL

16

Lets Help Children


Get Excited About
Cybersecurity Careers

TECHNOLOGY

24

Ransomware Recovery
Holding data hostage is a trending trick cybercriminals are using
against you and your business. Its time to fight back. BY RAJ KAUSHIK

MEMBERS CORNER

BY SEAN JOHNSON

35 CENTER POINTS
MANAGEMENT

28

Cost-Cutting through Cloud Computing


Savings now drives both public and private sectors to embrace the
technology, but due diligence is still essential. BY VINCENT MUTONGI

How Do You Size Up?

BY PAT CRAVEN

36 5 MINUTES WITH

Jason Sachowski
A Q&A with an inspiring
member who lives and
works in Canada.

SUMMER READ

32

Bullseye Breach
We excerpt a chapter from an (ISC)2 members high-tech thriller,
whose storyline should ring familiar. BY GREG SCOTT

Cover image by JOHN KUCZALA

AD INDEX

Image (above) by ENRICO VARRASSO

InfoSecurity Professional is produced by Twirling Tiger Media, 7 Jeffrey Road, Franklin, MA 02038. Contact by email: asaita@isc2.org. The information contained
in this publication represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC)2 on the issues discussed
as of the date of publication. No part of this document print or digital may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any
form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. (ISC)2,
the (ISC)2 digital logo and all other product, service or certification names are registered marks or trademarks of the International Information Systems Security
Certification Consortium, Incorporated, in the United States and/or other countries. The names of actual products and companies mentioned herein may be
the trademarks of their respective owners. For subscription information, please visit www.isc2.org. To obtain permission to reprint materials, please email infosecproeditor@isc2.org. To request advertising information, please email tgaron@isc2.org. 2016 (ISC)2 Incorporated. All rights reserved.

InfoSecurity Professional 3 July/August 2016

RE TURN TO

CONTENTS

Editors Note

(ISC)2 MANAGEMENT TEAM

WHY READING IS
STILL FUNDAMENTAL

SENIOR MANAGER,
MEMBERSHIP MARKETING
AND MEDIA SERVICES
Jessica Hardy
727-785-0189 x4063
jhardy@isc2.org

M GOING TO give away my age, or at least my generation, when I


mention the Reading is Fundamental television PSAs popular back
when childrens programming only aired Saturday and possibly Sunday
mornings, unless your antennae picked up UHF channels. The nonprofit RIF, now in its 50th year, provides free books to libraries and to
children in families where buying books is beyond their budgets. It stresses the
importance of strong reading skills, built through reading regularly, to be successful in school and beyond.
I think most (ISC)2 members understand the importance of reading well
beyond a formal education. Its among the most common ways to consume information, both on- and offline. The issue we all now face is what to read, given the
many options and limited time todays daily life provides. We at the magazine
keep that competition in mind when we create each issue, making sure the news
items, columns and features aid in your professional
development, not just technical know-how.
The longer days of summer typically make reading,
especially for pleasure, easier. Theres more sunlight,
energy and vacation time to tackle recommended reads,
be they popular novels, classic nonfiction works, magazine articles or all those blogs you bookmarked.
We hope that InfoSecurity Professional remains on
your reading list, too. This issue, we talk about a trend
in cybersecurity analysis: Lockheed Martins Cyber Kill
Chain. Then, a member looks at the costs associated
with cloud computing and another at ransomware
recovery. A third member provides us an excerpt of
his cybersecurity thriller, loosely based on one of the
biggest data breaches in recent years. You wont have
Anne Saita, editor-introuble guessing the inspiration.
chief, lives and works
I hope your summer (or winter, depending on your
in Southern California.
location) is filled with good literature that inspires and
empowers you in your work and in your relationships
with those important to your well-being. If you get a
chance between now and August, shoot me an email at
asaita@isc2.org with the best book youve ever read.
ANNE SAITA

Rob Andrew Photography

ADVERTISER INDEX
For information about advertising in this publication, please contact Tim Garon at tgaron@isc2.org.
Intel Security......................................................... 2
(ISC)2. ..................................................................... 5
Capella University............................................... 7
Qualys....................................................................13
Walden University............................................ 14
Black Hat...............................................................17
(ISC)2. ................................................................... 21

(ISC)2. ...................................................................22
Executive Womens Forum.............................23
(ISC)2. ...................................................................27
TechTarget........................................................... 31
Twirling Tiger Media.........................................37
(ISC)2. .................................................................. 38

EXECUTIVE PUBLISHER
Timothy Garon
508-529-6103
tgaron@isc2.org
MANAGER, GLOBAL
COMMUNICATIONS
Amanda DAlessandro
727-785-0189 x4021
adalessandro@isc2.org
MEDIA SERVICES COORDINATOR
Michelle Schweitz
727-785-0189 x4055
mschweitz@isc2.org
SALES TEAM
EVENTS SALES MANAGER
Jennifer Hunt
781-685-4667
jhunt@isc2.org
REGIONAL SALES MANAGER
Lisa OConnell
781-460-2105
loconnell@isc2.org
EDITORIAL ADVISORY BOARD
Carlos Canoto South America
Amanda DAlessandro (ISC)2
Tushar Gokhale U.S.A.
Javvad Malik EMEA
J.J. Thompson U.S.A.
Elise Yacobellis (ISC)2
TWIRLING TIGER MEDIA
EDITORIAL TEAM
EDITOR-IN-CHIEF
Anne Saita
asaita@isc2.org
ART DIRECTOR & PRODUCTION
Maureen Joyce
mjoyce@isc2.org
MANAGING EDITOR
Deborah Johnson
PROOFREADER
Ken Krause



Twirling Tiger Media is

certified as a womens

business enterprise by the

Womens Business Enterprise

National Council (WBENC).
This partnership reflects (ISC)2s commitment
to supplier diversity.

www.twirlingtigermedia.com

InfoSecurity Professional 4 July/August 2016

RE TURN TO

CONTENTS

EARLY BIRD

PRICING
Ends JULY 31, 2016

Register Today!
Sept. 12 - 15

Dont miss out on the largest CPE


opportunity of the year: Earn up to

46 CPEs

Orlando, FL Orange County Conv. Center

Join us in Orlando, FL, September 12 - 15, for the 6th annual (ISC)2 Security Congress.
Colocated with ASIS Seminar, this conference offers over 90 education sessions,
designed to transcend all industry sectors, focus on current and emerging issues, best
practices, and challenges. This event will advance you as a security leaders by arming
you with the knowledge, tools, and expertise to protect your organizations.

Make sure you dont miss these sessions!


Session #3230 - Cloud Security: Securing Your Public Cloud Infrastructure
Session #2232 - Professional Development: Hiring, Building, and Retaining

Top Security Talent


Session #4232 - Mobile: Malware Activity in Mobile Networks
Session #4235 - People Centric Security: Your Next CISO Should be a Lawyer
View the full list of sessions at (ISC)2 Security Congress 2016.

(ISC)2 Members

Tracks include:

Incident Response
Cloud Security
Swiss Army Knife
Mobile Devices - Security and Management
Governance, Regulation and Compliance
Application Security/Software Assurance

congress.isc2.org
Copyright 2016. (ISC)2, Inc. All rights reserved.

Save $255

Malware
Threats
Professional Development
Forensics
Threat Intelligence
People Centric Security

#ISC2Congress

Colocated with

THE LATEST
FROM (ISC)2S
LEADERSHIP

EXECUTIVE LETTER WIM REMES

LETS MOVE FORWARD BY STEPPING UP

OBTAINED MY CISSP certification in 2006, and I have


always been a proud member of (ISC)2. This is primarily
because I believe that, as professionals, we should always
strive to improve ourselves. Is there a better opportunity to
achieve this than being part of an elite community of more
than 100,000 fellow professionals across the globe? I honestly cannot
think of one.
I am incredibly honored that the membership has shown confidence
in me (and Dave Kennedy, Kevin Charest and Professor Hiroshi Yasuda)
to serve as a board member again. While volunteering for this role is
obviously a conscious choice, the time my fellow board members and I
spend away from work and family has the sole
purpose of improving (ISC)2 as an organization,
Wim Remes is the
both for the membership and the industry at
current chairperlarge. As the elected chairperson for 2016, I
son of the board of
can say confidently that the board serves the
directors. He can be
membership. Having representation from the
reached at wremes@
security industry, government and academia on
isc2.org.
a global scale enables us to make good decisions
for the future of (ISC)2, and the team we have is
quite stellar and largely reflects the interests of
our membership.
Over the past decades, information security
has grown into a complex profession. We have
evolved from mostly network-focused technologists to a broad spectrum of specialists, ranging
from ethical hackers to risk managers, active
on all levels across industries. Were required to
understand everything from evaluating risk, to
understanding cutting-edge technology before
it becomes common knowledge, to securing
infrastructures our societies depend upon. It is,
by all means, no small feat for those who try to
keep up every day.
This is where I believe (ISC)2 as an organization can make the difference, but it needs more
engagement from the community it created and
for which it exists. We, the membership, have
grown into experts in our respective fields, and
we have learned both from our own successes
and our own failures. We would be doing a dis-

service to our community if we, as the leading


independent faction in our industry, didnt allow
our peers to learn from the path we have walked
ourselves. There is always a call for information,
and there is always a need for more knowledge.
What we need today is for professionals to share
information among each other, as freely and as
widely as possible.

What we need today


is for professionals
to share information
among each other, as
freely and as widely
as possible.
I see a bright future for our profession, for
(ISC)2 and for our membership, but I can also
see the challenges we are facing on a daily basis.
Im personally committed to enabling our members to learn, to educate and to lead. Making
sure that we have a platform that allows for
information sharing in a trusted and confidential manner is but the first step. I can only ask
our members to leverage the tools at hand to
teach, to share and to disseminate knowledge.
James Madison, undoubtedly one of the greatest
statesmen that ever lived, once said, The
advancement and diffusion of knowledge is
the only true guardian of liberty.
To enable our fellow professionals, new and
old, to move forward, it is incumbent upon all
of us to step up to the plate and make it happen.
I can only be grateful to be among all of you
as a member of the greatest association in our
industry.

InfoSecurity Professional 6 July/August 2016

RE TURN TO

CONTENTS

THERES NO SHORTAGE OF

CYBER SECURITY THREATS


BUT THERE IS A SHORTAGE OF IT SECURITY PROFESSIONALS

DO YOU HAVE WHAT IT TAKES TO BE PART OF THE SOLUTION?

Get up-to-date security skills with Capella Universitys


Masters in Information Assurance and Security (MS-IAS).
Specializations include Digital Forensics, Network Defense, and Health Care Security.
Along the way to your MS-IAS, earn up to 3 NSA focus area digital badges showcasing your
mastery of skills in specific cybersecurity areas.
Plus, the knowledge you gained for your CISSP, CEH, or CNDA certifications can help you
earn credit toward your MS-IAS, saving you time and money.

ANSWER THE CALL. START TODAY. CAPELLA.EDU/ISC2 OR 1.866.933.5836


See graduation rates, median student debt, and other information at www.capellaresults.com/outcomes.asp.
ACCREDITATION: Capella University is accredited by the Higher Learning Commission.
HIGHER LEARNING COMMISSION: https://www.hlcommission.org, 800.621.7440
CAPELLA UNIVERSITY: Capella Tower, 225 South Sixth Street, Ninth Floor, Minneapolis MN
55402, 1.888.CAPELLA (227.3552)
Copyright 2016. Capella University. 16-8594

FIELD

NOTES

EDITED BY DEBORAH JOHNSON


A ROUNDUP OF WHATS HAPPENING IN (ISC)2 COMMUNITIES

(ISC)2 NAMES NEW DIRECTOR


OF IT SERVICES AND SOLUTIONS

EFF HIGHMAN, former vice pres-

ident of software development at


InfoZen, is the new director of IT
services and solutions at (ISC)2.
In his new role, Highman is responsible for achieving goals related to a global
IT strategy. He intends to use Agile
development techniques to address all
aspects of (ISC)2s technical infrastrucJeff Highman
ture, assess new business requirements
and integrate those requirements into
the overall infrastructure.
Highman has 20 years of experience spanning strategy, delivery and organizational change management for large-scale organizations. His experience
spans a broad range of IT services from federal systems to commercial and
cloud-based products. His work at the U.S. Patent and Trademark Office transformed the patent process from paper-based operations to a digital end-to-end
process. Most recently, he pioneered the development and launch of a commercial SaaS product called Identrix.
(ISC)2 is planning to enable the next generation of security practitioners
through modern channels of engagement, he said. Security professionals
are the leaders that will pave the way for a more secure society at large. I look
forward to serving this community.

MEMBER DISCOUNT FOR


CYBER RISK ANALYTICS TOOL
(ISC)2 and PivotPoint Risk Analytics have joined together in a business partnership to help raise awareness of the need for cyberrisk analytics. The solution,
called cyber value-at-risk analytics (CyVaR), has the mission of empowering
information security professionals to assess the financial impact of vulnerabilities and potential incidents to their organizations, to help them make more
strategic business decisions and mitigate risks. (ISC)2 members receive a 35
percent discount off the first year of CyVaR services for their organization.
Visit the member benefits page for more information (https://www.isc2.org/
member-benefits.aspx#PivotPoint). For additional information on how CyVar
works, join us at 1 p.m. Eastern time on July 12 for a discussion and demo webcast: https://www.isc2.org/security-briefings/default.aspx?commid=210143.
InfoSecurity Professional 8 July/August 2016

BE PART OF THE INDUSTRYS


LARGEST WORKFORCE STUDY
Your opinion counts! Our
latest Global Information Security
Workforce Study survey is out,
and we need your voice to help
tell the story of what the information security workforce is facing.
The study will cover everything
from salaries and hiring practices to training requirements
and corporate attitudes. The
study, sponsored by the Center
for Cyber Safety and Education
with research conducted by Frost
& Sullivan, provides a detailed
picture of the global cybersecurity workforce. Weve streamlined
this years survey to 20 minutes
for optimal participation. The
survey is open until Sept. 30, and
well release results in early 2017.
Check your inbox for your personalized invitation to participate
in the survey. For more information, please visit https://www.
isc2cares.org/IndustryResearch/
GISWS/.

CPEs
Please note that (ISC)2 submits
CPEs for (ISC)2s InfoSecurity
Professional magazine on your
behalf within five business days.
This will automatically assign
you two Group A CPEs.
https://live.blueskybroadcast.com/bsb/
client/CL_DEFAULT.asp?Client=411114&PCAT=7777&CAT=10427&Review=true

RE TURN TO

CONTENTS

FIELD NOTES

RECOMMENDED READING

Threat Modeling: Designing for Security


By Adam Shostack
Suggested by Larry Marks, CISSP

on threat modeling, this book is a


good place to start. The author clearly
frames the discussion about terminology, and the
corporate environment in which this methodology
should be implemented, and identifies various
effective approaches to implement threat modeling. There are explanations on how to examine
software applications, or any system, by trying to
find holes in them and ways they might be exploited.
As a guide to help a developer or security practitioner identify potential
security threats in the design, there are detailed instructions, including:
Several limited frameworks, such as STRIDE or CAPEC, to identify
the various threats. These can be used as checklists to understand the
architecture of the software design. In fact, the authors approach is the
approach recommended by Microsoft.
How to perform data flow diagrams to better identify the threat.
Applicability to the Agile approach of using sprints in designing, testing
and releasing code.
Scaling the process for firms of different sizes: small, medium and large.
How to identify, assess and remediate coding issues that may involve
threats before they hurt you or your customers.
Threat Modeling: Designing for Security is not intended as a technical cookbook. This book offers very practical and timely experience and significant
assistance. For the most part, it succeeds.

2015 (ISC)2 ANNUAL


REPORT IS NOW
AVAILABLE
Read our year in review at https://www.isc2.
org/management-annual-reports/default.aspx.

InfoSecurity Professional 9 July/August 2016

U.S. $325
million
Financial damages
incurred by ransomware
CryptoWall3 between
January 2015 and
April 2016.

67.3%

of ransomware infections
were caused by phishing.
Source: The Cyber Threat Alliance
http://cyberthreatalliance.org/cryptowall-report.pdf

272.3
million

Number of stolen
email accounts, most
of which involved users
of Mail.ru, Russias most
popular email service,
followed by Google,
Yahoo and Microsoft
email users.
Source: Reuters May 5, 2016

RE TURN TO

CONTENTS

Image by iStock

OR A STRAIGHTFORWARD primer

FIELD NOTES

CHAPTER SPOTLIGHT: (ISC)2 SINGAPORE CHAPTER

CHAPTER MEMBERS DISCUSS ALL THINGS


SECURITYEVEN JAMES BOND MOVIES

EING RELEVANT IN a city where many securi-

ty-related chapters, interest groups and events


coexist is quite a challenge, but the (ISC)2
Singapore Chapter realized that it was important to create a
niche where the chapter can benefit the local security community rather than just organizing (ISC)2 events for its own
sake. Thus, the chapter now hosts relaxed evening events
with networking over dinner at low/no cost and maintains
a focus that is relatively high-level compared to local hacker
events.
Now 170 members strong, the (ISC)2 Singapore Chapter
was founded in 2012. The chapters mission is to provide
information security education and networking opportunities for its members. (ISC)2
Singapore
(ISC)2 SINGAPORE CHAPTER
Chapter has
CONTACT INFORMATION
held security
Secretary: Vijay Luiz
seminars with
Email: secretary@isc2chapter.sg
Bit9+Carbon
Website: https://www.isc2chapter.sg/sgp/
Black, Qualys,

TOP DATA
BREACH TRENDS
PREDICTED FOR
REST OF 2016

New Executive Committee at (ISC)2 Singapore Chapters Annual


General Meeting October 10, 2015.

NEC, Splunk, F5 and Tenable, among others. Events have


covered CCTV, breach detection, compliance, responsive
security, security monitoring, bitcoin, vulnerability management, DDoS, privacy and more. Occasionally, the chapter keeps the topic light. Last November, members enjoyed
an outing to watch the James Bond movie, Spectre.
The (ISC)2 Singapore Chapter assisted at the Center for
Cyber Safety and Educations Safe and Secure Online booth
during the RSA Conference APAC in 2015. The chapters
plans include connecting volunteers with Safe and Secure
Online and similar initiatives. Expect more monthly security events and chill-out sessions in the near future.

The EMV Chip and PIN liability shift will not stop
payment breaches.
Big healthcare hacks will make the headlines, but small
breaches will cause the most damage.
Cyber conflicts between countries will leave
consumers and businesses as collateral damage.
U.S. presidential candidates and campaigns will be
attractive hacking targets.
Hacktivism will make a comeback.
Source: Experian 2016 Data Breach Industry Forecast

InfoSecurity Professional 10 July/August 2016

RE TURN TO

CONTENTS

FIELD NOTES

Early
registration rates
are available until
July 31. More details
are available at
congress.isc2.org.

ORE THAN 80 educational sessions designed to transcend all


industry sectors will be available during (ISC)2s sixth annual
Security Congress, taking place Sept. 1215 at the Orange
County Convention Center in Orlando, Fla. Once again co-located with the
ASIS International Annual Seminar and Exhibits, the combined events will
bring together nearly 20,000 security professionals from around the world.
A few notable sessions and speakers include:
Application Security: Building a Secure Development Lifecycle on a
Shoestring Budget John Overbaugh, CISSP, chief information security
officer, CyberVista.
Cloud: Securing Your Public Cloud Infrastructure Anthony Freed, director
of corporate communications, Evident.io; Dave Lewis, CISSP, global security
advocate, Akamai Technologies; Adrian Sanabria, senior security analyst,
451 Research; Tim Prendergast, CISSP, CEO, Evident.io.
Incident Response: Its Not if but When: Creating Your Incident Response
Plan Lucie Hayward, CISSP, PMP, managing consultant, Cyber
Investigations, Kroll; Michael Quinn, associate managing director,
cyber investigations, Kroll.
Mobile: Malware Activity in Mobile Networksan Insider View Kevin
McNamee, CISSP, director, Threat Intelligence Lab, Nokia.
People-Centric Security: Your Next CISO Should be a Lawyer Bruce
deGrazia, CISSP, program chair, cybersecurity, The Graduate School,
University of Maryland University College.
Professional Development: Hiring, Building, and Retaining Top Security
Talent Kevin Flanagan, CISSP, CISSP-ISSMP, CISA, CISM, CEH; director,
RSA; David Shearer, CISSP, CEO, (ISC)2; Deidre Diamond, founder and CEO,
Cyber Security Network; Anne Saita, editor-in-chief of InfoSecurity Professional.
Threats: Ripped from the Headlines: Demonstrations of the Years Top
Breaches Mike Landeck, CISSP, CyberSecology.
InfoSecurity Professional 11 July/August 2016

PASSWORDS STILL THE

WEAK LINK

SOME HIGHLIGHTS OF THIS


YEARS VERIZON DATA BREACH
INVESTIGATIONS REPORT,
BASED ON 64,199 INCIDENTS
AND 2,260 BREACHES:

63%

of confirmed data
breaches involved
leveraging weak, default
or stolen passwords.

70%

of breaches involving
insider misuse took months
or years to discover.

95%

of web app attacks


where criminals stole
data were financially
motivated.

93%

of compromises happened
within minutes.

83%

took weeks or
more to discover.
RE TURN TO

CONTENTS

Image by ThinkStock

(ISC)2 SIXTH ANNUAL


SECURITY CONGRESS GEARS UP

FIELD NOTES

PRESENTING THIS YEARS GISLA RECIPIENTS


Congratulations to the following recipients of this years Government Information Security
Leadership Awards (GISLA), which (ISC)2 announced at a Washington, D.C., gala in May.
Technology Improvement Individual Category
Preston Werntz, chief of technology services for the
National Cybersecurity and Communications Integration
Center (NCCIC), is a member of the Department of
Homeland Security (DHS) team known as the Automated
Indicator Sharing initiative (AIS) that works to drive federal-civilian bidirectional threat information sharing. With
a history of contributing to information sharing programs,
mentorship and working to break down traditional internal
boundaries, Werntz led the implementation of the AIS
initiative at the NCCIC and successfully drove the AIS to
operation. His efforts to improve threat information sharing have led to near real-time information sharing across
50-plus non-federal entities with 10 department and agency
participants.

David Shearer, (ISC)2 CEO, David Rosinski, Khambrel Kennedy,


Martin Gasca and Kenneth Adams.

Workforce Improvement Individual Category


Robert Collins, CISSP, CAP, CISO of the Indian Health
Service (IHS), Department of Health and Human Services
(HHS), is the principal healthcare advocate and provider
for American Indians and Alaska Natives. He directs the
IHS Division of Information Security (DIS), charged with
safeguarding the healthcare information of 566 federally
recognized Native American Indian and Alaska Native
Tribes. Collins efforts to modernize the IHS cybersecurity program included the transfer of the DIS from
Albuquerque, N.M., to the D.C. Metro area, which gave the
program greater visibility and exposure to broader collaboration. He then created seven interoperable security teams
led by subject matter experts. The result was increased
accuracy and overall reporting through FISMA quarterly
and annual reports and award-winning cybersecurity
awareness campaigns. As a result of his leadership, the
agency has increasingly built trust and a partnership with
tribes by showing transparency in processes and increased
confidence in the security program.

Process/Policy Improvement Individual Category


Gregory Touhill, U.S. Air Force brigadier general

(retired) and deputy assistant secretary DHSs Office of


Cybersecurity and Communications, leads DHS efforts to
secure federal civilian networks, help the private sector
manage cyber risk, coordinate interagency response to
cyber incidents of national significance and engage with
DHSs international partners. In this role, he has helped

Preston Werntz, Carole Eberle and Gregory Touhill.

to measurably advance the capability of the National


Cybersecurity and Communications Integration Center
(NCCIC) to provide excellent technical response, analysis
and customer service. Most notably, Touhill led the team
that managed the response to the Office of Personnel
Management (OPM) breach. He created processes utilizing
DHS technology and interagency partnerships that focused
on the best outcome for both the victims and the responders. Overall, Touhill has helped to build, exercise and
transform DHS processes for working with critical partners
across the country and around the world and demonstrates
consistent dedication to advancing growth of the 24x7
NCCIC.
Up-and-Coming Information Security Professional
Individual Category
Azzar Nadvi, just two years after graduating from college,
now serves as assistant to the director of the Cyber Joint
Program Management Office (JPMO) at the Department of

InfoSecurity Professional 12 July/August 2016

RE TURN TO

CONTENTS

FIELD NOTES

Homeland Security (DHS).After President Barack Obama


signed the Information Sharing and Analysis Organizations
executive order, DHS had to move quickly to build a coalition of existing information sharing organizations and
gain support for the effort. With limited resources, Nadvi
was placed into a role typically reserved for a more senior
member of the staff. He co-developed a multi-million-dollar grant, Notice of Funding Opportunity for the National
Information Sharing Standards Organization, developed
and managed the proposal, Objective Review Plan, and
conducted proposal reviews, with technical analysis resulting in awardee selection. In all circumstances, he exemplified leadership and professionalism beyond his years. As
a result of Navdis and his peers contributions, the ISAO
Standards Organization was established in record time
less than seven months.

Community Awareness Team Category

Led by David Rosinski, information systems security manager (ISSM), Naval Computer & Telecommunications Area
Master Station Atlantic, Detachment Rota, Spain (NCTL
Det Rota), provides a variety of IT services to more than
10,000 U.S. military and government personnel who are
stationed or deployed within the Iberian Peninsula. Thanks
to this teams outstanding efforts to provide cybersecurity
awareness for both the military professional and family
communitiesspecifically during National Cyber Security
Awareness Month (NCSAM) last Octoberthey reached
the majority of the 10,000 people associated with the U.S.
military in Rota, Spain, changing awareness training from
a one-way message to a two-way dialogue. As a result, there
have not been any cyber incidents on the local network tied
to user behavior since October 2015.

InfoSecurity Professional 13 July/August 2016

RE TURN TO

CONTENTS

FIELD NOTES

Most Valuable Industry Partner (MVIP)


Team Category

Ciscos Advanced Malware Protection (AMP), developed


by Al Huger, vice president of engineering, is an overarching inter-architecture project that ties together Cisco
security products to create one holistic security ecosystem.
The AMP technology allows end-users to connect security
products and endpoints into one homogenous system that
communicates within itself to find breaches. The system
can then educate all components within the system to handle the breach. As a result, Ciscos government customers
are spending fewer human resources to monitor network
health. In the long run, AMP is helping the government at
all levels safely leverage network solutions to best serve its
constituents.

POWERING THE NEXT


GENERATION OF
IT LEADERS

F. Lynn McNulty Tribute Award


Richard Hale is the deputy chief information officer
for cybersecurity for the Department of Defense,
where he acts as CISO for the governments largest
agency and, ostensibly, its most targeted. He is currently
using new NIST security guidelines to update a Defense
Federal Acquisition Regulation Supplement clause that
would broaden the classes of information that industry
must protect. He is also working across agencies
to determine standards for cyber basics as they relate
to unclassified information. Previously, Hale served
as the chief information assurance executive at the
Defense Information Systems Agency, overseeing
all of the agencys information assurance
activities.

Ready to advance your career in cyber security, information


technology, and other high-demand fields? Walden University
offers the degree programs you need to stay competitiveand
become a leader in your field:
Doctor of Information
Technology (DIT)

Recognized Quality

Doctor of Business
Administration (DBA)
MS in Information Technology
Master of Information Systems
Management (MISM)
MS in Health Informatics
Graduate Certificate in
Information Systems
Theres nothing more valuable than learning something in
class and then being able to put it to practical use.
Willie F. Jones, BS in Business Administration and
Master of Information Systems Management Graduate (MISM),
Doctor of Business Administration (DBA) Student

BS in Computer Information Systems


BS in Information Technology

GET STARTED NOW.


LEARN MORE ABOUT TUITION SAVINGS.

InfoSecurity Professional 14 July/August 2016

RE TURN TO

CONTENTS

FIELD NOTES

U.K. ROADSHOW BRINGS RECORD CROWD

N MARCH AND early April, I joined our managing


director for (ISC)2 EMEA, Dr. Adrian Davis, CISSP,
on an unprecedented United Kingdom roadshow
that drew the highest attendance of any event hosted by
the U.K. Council of Professors and Heads of Computing
(CPHC).
Supported by the U.K. Cabinet Office, British Computing
Society (BCS) and CPHC, our goal was to help computing science academics incorporate the groundbreaking
Principles and Learning Outcomes for undergraduate
degrees so that cybersecurity becomes a prominent component of any computer science degree program. (ISC)2 and
CPHC published the guidelines in 2015.
Of the 100-plus institutional members, more than 60 universities sent representatives to the talks, providing (ISC)2
EMEA officials outstanding outreach to this important
community and an opportunity to influence the academic
community that teaches more than 20,000 undergraduates
in computing and IT-related subjects every year.

The BCS, one of the participating


industry bodies in the project,
immediately included the principles within its degree accreditation
guidelines, making cybersecurity
a mandatory component of most
computing science degrees in
the U.K.
These roadshows are the culmination of a member
initiative that the (ISC)2 EMEA Advisory Council began in
2012. The initiative was aimed at boosting employer confidence in new graduates despite their lack of experience,
increasing awareness of cybersecurity as a career within a
broad group of students, and stemming the proliferation of
vulnerabilities in IT.
The (ISC)2 EMEA team supported the Advisory Council,
which is made up of member volunteers who give their time
to varied projects, in hosting several meetings that brought
together members, academics, industry bodies and government departments. The output from these meetings led
to the development of the new principles and educational

By Lyndsay Turley
Since September 2015,
the (ISC)2 EMEA team
has grown from an office of 10 to 15 people,
expanding its outreach
capability in education support, member
services and other
initiatives.

outcomes for undergraduate computing science degrees.


The BCS, one of the participating industry bodies in
the project, immediately included the principles within its
degree accreditation guidelines, making cybersecurity a
mandatory component of most computing science degrees
in the U.K. The principles have since been referenced by
EQANIE, which accredits computing science/informatics
degrees at an EU level.
The work, including an upcoming white paper to
complement new competence standards and curricula
guidelines, aims to broaden knowledge and interest about
cybersecurity, the profession and the careers that are
available. The ultimate goal is to attract more students to
cybersecurity careers and to help prevent a growing serious
shortage of skilled security professionals worldwide.
As our regions largest professional body with nearly
20,000 EMEA-based (ISC)2 members, and with employment markets now demanding more certified professionals,
we are actively promoting security to young adults through
educational partnerships. In fact, (ISC)2 is one of three
education partners that developed the U.K.s first Extended
Project Qualification (EPQ) in cybersecurity. The qualification earns secondary school credits, awarding entry points
needed for U.K. universities, and can also be pursued by
anyone (and at any age). It focuses on students planning,
research and practical skills.
Our efforts are creating defined entry routes and
opportunities for people to join the profession, rather than
discover it by chance. They also have an impact on many
vocations beyond security. The ambition is to address
a breadth of need and motivate the development of a
cyber-competent society that will, in the end, produce the
variety and numbers of skilled individuals needed to realize
the advantages offered by our digital world.

LYNDSAY TURLEY is director of communications and public affairs


for the (ISC)2 EMEA Regional Office.

InfoSecurity Professional 15 July/August 2016

RE TURN TO

CONTENTS

MEMBERS CORNER
A SOUNDING BOARD
FOR THOSE WITH
SOMETHING TO SAY

Sean Johnson is senior manager of


information security at CSAA Insurance
Group, a AAA Insurer. He can be reached
at sean.johnson.phx@gmail.com.

Lets Help Children Get Excited


About Cybersecurity Careers
EVERY DAY, WE read about a critical
talent shortage in the technology
sector, where a shortfall of qualified
talent will cause 25 percent of open
cybersecurity jobs to go unfilled.
This need is expected to grow by 30
percent over the next five years, yet
statistically, only 10 percent of cybersecurity jobs are held by women. It
seems clear to me that these two
problems are linked, and they share
a common solution. We need to do
more to make critical knowledge of
technology available to our future
workforce, both young men and
women alike.
Were rapidly approaching a time
where half the workforce will be 30
and under, and roughly half of these
professionals will be women. By not
doing more to encourage both young
men and women to consider careers
in technology, specifically cybersecurity, were not using our most
valuable resource in combating this
talent shortage: the next generation.
The success of the game Minecraft
has already shown us that technology
can resonate with both genders. We
need to do more to introduce technology to all young students in new and
interesting ways.
Both for-profit and traditional
brick-and-mortar universities have
done a lot to target the cybersecurity
talent shortage. Odds are students

will already have a good idea of what


they want to do professionally by this
time, so it may be too late to introduce these career paths during the
college years. Addressing the talent
shortage in the long run should start
with exposure to critical technology
skills during primary education.
Sadly, computer science is only
taught in one out of four high schools
across the United States. With the
talent shortage expected to continue
unabated for another five or even
10 years, our focus needs to be on
the talent that will be entering the
workforce at those times. That means
encouraging current high school
and middle school children who
are excited about technology and
intrigued by cybersecurity, and giving
them every opportunity to explore
those fields of study. We should introduce technology and cybersecurity to
all young students with the ultimate
InfoSecurity Professional 16 July/August 2016

goal that many will find that technology resonates with them.
How can we help? As professionals in the trenches, we can do a lot
to help address this issue, and it all
starts by getting involved. In the near
term, talk to your HR department
about taking on interns, or consider
becoming a mentor to a high school
student. In the long term, programs
such as Cyber Patriot, Day of Code,
Girls Who Code, Safe and Secure
Online, and Technology Education
and Literacy in Schools (TEALS)
provide great opportunities to help
spark interest in younger students.
Talk to your local school board, and
volunteer to help close the gap.
To read more about the anticipated labor shortage, read the most
recent (ISC)2 Global Information
Security Workforce Study and plan to
participate in the study survey, which
is now open.
RE TURN TO

CONTENTS

Image by ThinkStock

BY SEAN JOHNSON

USE DISCOUNT
CODE ISC216US
TO SAVE $200
OFF BRIEFINGS
B L A C K H AT . C O M / U S - 1 6

TECHNOLOGY

7 STEPS
TO ENHANCE YOUR

CYBER DEFENSE
HOW LOCKHEED MARTINS
CYBER KILL CHAIN CAN
DECIMATE THE ATTACKER
BY CRYSTAL BEDELL

THE EVOLUTION OF CYBER THREATS


is driving the need for a new cyber
defense strategy. The primary threat is
no longer the massive virus outbreak that
leaves a wake of destruction in its path.
Instead, its the surreptitious attack on
individual corporate networks that goes
undetected for weeks, sometimes months,
and results in data loss. To counter these
advanced persistent threats (APTs),
experts advocate an intelligence-based
cyber defense strategy. One such model
is Lockheed Martins seven-step Cyber
Kill Chain.
PHOTO ILLUSTRATION BY JOHN KUCZALA

InfoSecurity Professional 18 July/August 2016

RE TURN TO

CONTENTS

THE BIRTH OF A CYBER DEFENSE

TAKING CONTROL OF THE ATTACK

In 2006, under the guidance of Rohan Amin, Eric Hutchins


and Michael Cloppert developed the Cyber Kill Chain.
We started seeing efforts to gain access to protected
infrastructure at Lockheed Martin by people on the internet using technologies that were different than what we as
security professionals had come to know to be commonplace, recounts Cloppert, chief analyst for the Lockheed
Martin Computer Incident Response Team (LM-CIRT)
based in Gaithersburg, Md. As we started to dig in on
these things, we felt we were marginally more successful
than our industry peers at the time, and we wanted to
capture what we were doing differently from everyone else
so we could communicate it to them.
The Cyber Kill Chain refers to seven discrete phases of
an attack:
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and control (C2)
7. Actions on objectives

Enterprise IT organizations can gain an advantage over


adversaries, according to Cloppert.
It is the objective, I think, for network defenders to be
able to classify as much intelligence from an intrusion as
possible so that the adversary has to change each and every
thing that the defender has the ability to detect, respond or
mitigate against, adding that each phase of the Cyber Kill
Chain presents a different opportunity to gather intelligence about an attack and deploy the appropriate countermeasures to stop it.
The beauty of it isthe adversary isnt always able
to see where in the kill chain an attack fails, he asserts.
To try again and be successful, the adversary must either
change everything they leveraged in the attack up to that
point, or pick and choose elements to change. And each of
those changes incurs some cost, be it the monetary cost to
purchase a new zero-day attack, the operational overhead to
manage the infrastructure, or the productivity cost to carry
out a new workflow, for example.

In the paper Intelligence-Driven Computer Network


Defense Informed by Analysis of Adversary Campaigns
and Intrusion Kill Chains, Hutchins, Cloppert and Amin
describe the kill chain in detail and provide a Course of
Action Matrix with recommended defensive measures for
each phase.
At each phase of an attack, the Cyber Kill Chain acts
as a guide to instruct network defenders on what they may
not know about an adversary, Cloppert explains. If I didnt
have any countermeasures across the kill chain and an adversary was successful, that means potentially theres evidence
in each phase of the intrusion. A robust forensic analysis of
intrusion should be able to find all of this data or find some
evidence in most phases, and once I find it, I can find a way
to utilize it for detection and mitigation in the future.
An attacker has to complete all seven phases to successfully execute an attack. He adds, however, because
the model has a degree of determinism, if you are able to
implement a mitigation at any phase, that cuts off the chain
and essentially causes the adversary to have to start over.
The goal isnt simply to deploy a countermeasure at each
phase of an attack and hope for the best, Cloppert advises,
but to have visibility into the entire kill chain. If an adversary makes it to phase five of the kill chain, that means the
adversary was successful in the previous phases, and you
can gather intelligence that enables you to implement a
countermeasure to stop a future attack sooner.

SUCCESS ON THE FRONT LINE OF AN ATTACK


Robert Lee, CEO of Dragos Security, based in San Antonio,
Texas, says he uses the Cyber Kill Chain to help his clients
plan security investments. The single biggest use is to
identify patterns of intrusionstake individual attempts to
break into the network, and identify that there is a campaign of effortsand take proactive measures based on
what we pull out of those intrusion analysis pieces.
In principle, everyone should have visibility into
each section of the network, and when appropriate, have
mechanisms to block adversaries at those different levels,
he adds.
Regarding Lockheed Martin, Cloppert says, Thats how
we use it here. Thats how we can classify all of our capabilities we have, identify gaps, and when we identify gaps
that seem to be repeated over multiple intrusion attempts at
a tactical level or across different capabilities at an operational level, those are the areas we want to invest money in
either to procure a new solution or develop one ourselves.

CHALLENGES WITH THE CYBER KILL CHAIN


Of course, any security strategy presents challenges, and
Lockheed Martins Cyber Kill Chain is no different. The
biggest challenge, however, appears to be the age-old misconception that technology is the be-all, end-all. That will
never be the case, Dragos Securitys Lee says. Its nave to
think adversaries will be stopped by a box on the network.
The other problem Lee encounters is that organizations
fail to make strategic investments. Generally, people buy

InfoSecurity Professional 19 July/August 2016

RE TURN TO

CONTENTS

SEVEN STEPS TO
CONTROLLING A THREAT
Lockheed Martins Cyber Kill Chain framework identifies the seven phases of an
advanced persistent threat. To be successful,
an adversary must complete all seven phases.
However, a network defender can successfully
stop a threat at any phase.
Step 1

Weaponization

The attacker prepares and stages the operation.


Malware is generated (usually via an automated tool)
then coupled with an exploit to create a deliverable
payload.
Step 3

Delivery

The attacker launches the operation, either by


controlled delivery directly against web servers or by
released delivery, such as email, social media or USB.
Step 4

Exploitation

The attacker exploits a zero-day vulnerability to gain


unauthorized access to the victim. The exploit can be
triggered by the victim, for example, by opening an
attachment in a malicious email, or by the attacker
for server-based vulnerabilities.
Step 5

Installation

The attacker installs a persistent backdoor or implant


in the victims environment to enable him/her to
continue to have access for a period of time.
Step 6

Command and Control

The malware opens a two-way communications


channel, usually over web, DNS or email protocols,
to a command and control (C2) infrastructure. This
enables the attacker to remotely control the victims
environment.
Step 7

LYSA MYERS, security researcher, ESET

Reconnaissance

The attacker collects information about potential


targets to determine which one is most likely to result
in a successful attack. This information is then used
when carrying out the attack.
Step 2

A lot of it is person
poweractual eyes
on the problem.

Actions on Objectives

At this point, the attacker can complete his/her


mission, whether its exfiltrating or modifying data,
destroying systems, or moving laterally through
the environment.

products or technologies to invest in one or two areas but


not the whole kill chain. When you apply all the different
security investments, that gets you defense-in-depth, but
the problem is the technologies are only meant to rule out
the noise. Without adding time and visibility, technology
doesnt stop an attack.
Lockheed Martins Cloppert concurs, adding, A capability can be turned into a control with the right intelligence
applied to it. A firewall is a way you can enforce principle of
least privilege on the network, but if you dont know what
to enforce that on, then it wont do a whole lot of good.
So thats the big caveat. You can have all these technologies, but if you dont have the intelligence to codify in the
technology, it wont classify as a control at least for these
adversaries.
It all comes down to the human element. A lot of it is
person poweractual eyes on the problem, advises Lysa
Myers, a security researcher at San Diegos ESET.
And therein lies another challenge. Most organizations
are comfortable buying a product because it has a fixed cost,
Lee says. Training and people are more difficult to justify.
But that doesnt negate the need for people. Solutions are
meant to put the network in the defensible situation, but you
have to have the people to defend it, he adds.
Despite the need for additional manpower, Myers says
this approach still offers a cost benefit. The amount you
spend on a cyber defense strategy is significantly less than
if you let an attack become a problem. People are under the
illusion that it wont happen to them, but were seeing every
companylarge and small, in every verticalbecome a target. Theres no discriminating. Criminals see opportunities,
and they go for them.

COUNTERING KILL CHAIN CRITICISM


This emphasis on intelligence is one of the criticisms of the
Cyber Kill Chain. What you dont want is every company
on earth trying to figure this out for themselves. They
dont have the experience or the time, warns Tony Sager,
senior vice president and chief evangelist at the Center for
Internet Security in Arlington, Va.
There are not millions of unique attacks happening out
there; there are millions of repeats of a very small number
of patterns. The general idea of the original Lockheed

InfoSecurity Professional 20 July/August 2016

RE TURN TO

CONTENTS

COURSE OF ACTION MATRIX


Phase

Detect

Deny

Reconnaissance

Web
analytics

Firewall
ACL

Weaponization

NIDS

NIPS

Vigilant
user

Exploitation

Disrupt

Degrade

Proxy filter

In-line AV

Queuing

HIDS

Patch

DEP

Installation

HIDS

chroot jail

AV

Command and
Control

NIDS

Firewall
ACL

NIPS

Delivery

Actions on
Objectives

Audit log

Deceive

Tarpit

DNS
redirect

Quality of
service

Honeypot

Destroy

Source: U.S. Department of Defense

VULNERABILITY
Central

Start tracking the vulnerabilities keeping you up at night.


Get Started
This exclusive, members-only resource aggregates, categorizes and
prioritizes vulnerabilities affecting tens of thousands of products.
Create a customized feed filtered by the vendors, technologies and
keywords that are relevant to your interests.

vulnerability.isc2.org

No new account is required to use Vulnerability Central and its


free to members; just log in with your (ISC)2 member account.

InfoSecurity Professional 21 July/August 2016

RE TURN TO

CONTENTS

paper was to use intelligence information about attacks to


identify the key patterns, so that one could better understand and anticipate or stop attackers at various and multiple stages during the pattern, Sager says. I believe that
the vast majority of what people need to know to defend
themselves is already in the public. The absence of threat
intelligence is not the problem. Its the ability to translate
that intelligence into action.
Lockheed Martins Cloppert cautions that the intelligence available is not all of equal value. Information like an
adversarys capabilities, intent and geographic location are
what he refers to as operational level intelligence, and it
tends to be ubiquitous, regardless of the size and nature of
the target.
There are elements that if you share them, everyone
can benefit, but as you get more and more detailed, the likelihood of indicators being useful to defenders goes down,

he says. This is simply due to the fact that every business


configures its IT infrastructure differently.
Ultimately, Cloppert advises, the Cyber Kill Chain is
one of many different models that all have an interplay with
one another and enable people who are defending networks
to think at tactical and operational levels as to how to prevent adversaries from being successful. To the extent that
this model is useful, I think people should use it, but you
have to apply some level of thought to this and for whatever
reason, if its not useful, then OK. Were not talking about
the universal laws of physics that are indisputable. The
Cyber Kill Chain is simply a way of looking at an intrusion
from the perspective of an adversary.

CRYSTAL BEDELL is a writer based in Spokane, Wash., who is a


regular contributor to InfoSecurity Professional.

Make the connection with

chapterS!
Get involved with your local (ISC)2 Chapter to meet industry experts
and network with (ISC)2 credential holders and other information
security professionals. Its a great way to:

Meet like-minded individuals


share knowledge

Exchange resources
Earn CPES

To locate the closest chapter to you, visit the:

chapter Directory

www.isc2.org/ch-directory

InfoSecurity Professional 22 July/August 2016

RE TURN TO

CONTENTS

14 thAnnual
Invest
in
Yourself!
ROI
up to

Earn

19 CpE CrEdits

BUILD A NETWORK
of thE
Most dynaMiC WoMEn
in our industry

TAKE HOME TOOLS,


BEst praCtiCEs & solutions
to aChiEvE suCCEss

Women of
Influence Awards
Nominate your peers, clients
and customers for the

Women of Influence Awards.

Co-presented by CSO and Alta Associates,


the awards honor four women for their
accomplishments and leadership roles in the
fields of security, risk management and privacy.

October 25-27, 2016


Hyatt Regency at Gainey Ranch I Scottsdale, AZ

BALANCING RISK and OPPORTUNITY:


Join your peers and learn to transform cybersecurity,
risk and privacy beyond the enterprise.
Keynotes:

Susan C. Keating, President and Chief Executive Officer,


National Foundation for Credit Counseling

Meg McCarthy, EVP Operations and Technology, Aetna


Zoe Strickland, Global Chief Privacy Officer, JPMorgan Chase
Nina Burleigh, National Correspondent, Newsweek
OVER 25 SESSIONS THIS YEAR!
BREAKOUTS, LIVE HACKS, TED TALKS AND EXPERT SPEAKERS.
Panels Include:

Visualizing Security Analytics So Managers Can Understand & Act


The Breaches We Know About; The Breaches We Dont
Behavior Analytics, Insider Threat & Employee Privacy Rights

Winners will be announced at a ceremony


during the EWF event.
FOR NOMINATION FORM GO TO:

www.ewf-usa.com
Nominations must be submitted by

July 31, 2016

forum host &


awards co-prEsEntEr

forum host &


awards co-prEsEntEr

diamond sponsors

For more information on the EWF or to register,


please visit: www.ewf-usa.com

TECHNOLOGY

M
N
SO
W AR E
RA

C
O V E RY
E
R
HOLDING DATA HOSTAGE IS A TRENDING TRICK
CYBERCRIMINALS ARE USING AGAINST YOU AND
YOUR BUSINESS. ITS TIME TO FIGHT BACK.
BY R

AU
AJ K

SHIK

N JUNE 27, 2014, within a matter of hours, Code Spaces, an SaaS


provider offering source code management tools like Git and Apache
Subversion on Amazon Web Services (AWS), turned from a rock-solid
company into a dysfunctional one.
A malicious hacker reportedly got unauthorized access to its
Amazon EC2 control panel and tried to extort money from the management. When Code Spaces engineers tried to change the root passwords,
the malicious hacker deleted data, backups, machine configurations
and offsite backups, forcing Code Spaces to close its doors. There werent any bad
business decisionsCode Spaces did not do anything wrongbut the fact is that
the company lost everything. Going out of business without any inkling, within a
matter of hours, is scary.
Its also a real possibility for millions of individuals and organizations.
Ransomware has been around for several years, but the malware is becoming
more prevalent and a problemto the point where it now has its own lexicon,
including RR for ransomware recovery.

InfoSecurity Professional 24 July/August 2016

RE TURN TO

CONTENTS

The basic idea of cloud computing is that your applications and data are scattered out there on the internet
somewhere, available for your employees to access them
from any computer whenever they want. But the authentication mechanism mainly depends upon the credentials.
For instance, if Bill the Bad Actor provides John the CTOs
credentials to the Single-Sign-On Authenticator, then Bill
the Bad Actor gains access to the whole system.

RANSOMWARE EVERYWHERE
Ransomware is a type of malware that prevents or limits
users from accessing their data. One kind of ransomware,
CryptoBlocker, encrypts data. The other variant of ransomware, Curve-Tor-Bitcoin (CTB) Locker, uses TOR to hide
command and control (C&C) communications. TOR is
freeware for enabling anonymous communication with the
mastermind server. The name is an acronym derived from
the original software project name The Onion Router.
Within two months after it was unleashed in September
2013, CryptoLocker raked in an estimated $27 million
for its creators. In April, 2014, cybercriminals came up
with more dangerous versions of ransomware, including
CryptoWall and CryptoDefense. CoinVault attack, which
Kaspersky Lab detected in May 2014, even offered the free
decryption of one of the hostage files as a sign of proof.
According to a recent NBC News report, ransomware
has targeted at least 1 million victims nationwide, including
individuals, small businesses, and even a Tennessee sheriffs
office. One California dentist reported that her practice
came to a standstill because ransomware encrypted all electronic patient information, scheduling software and digital
X-rays. The cybercriminals demanded $500 via an onscreen
prompt to restore the files.
On March 22, 2015, New Jersey school district
Swedesboro-Woolwich was locked up due to ransomware
CryptoWall 2.0, affecting the districts entire operation,
including Partnership for Assessment of Readiness for
College and Careers (PARCC) exams, which are entirely
computerized.

BIG RISKS DELIVER BIG PAYDAYS


According to a public service announcement from the FBIs
Internet Crime Complaint Center (IC3), the CryptoWall
cost U.S. businesses and consumers at least $18 million
between April 2014 and June 2015. IC3 based its estimate
on complaints from 992 CryptoWall victims and it includes
related damages, such as the cost of network mitigation,
loss of productivity, legal fees, IT services and credit monitoring services.
The Cyber Threat Alliance (CTA) is an industry group

An example of a ransom pop-up.

formed to study emerging cyber threats by members


including Intel Security, Palo Alto Networks, Fortinet
and Symantec. In a report titled Lucrative Ransomware
Attacks: Analysis of the CryptoWall Version 3 Threat, CTA
found ransomware attacks very lucrative, resulting in an
estimated $325 million in damages.
This comprehensive report revealed the following interesting statistics:
4,046 malware samples
839 command and control URLs
5 second-tier IP addresses used for command and
control
49 campaign code identifiers
406,887 attempted infections of CryptoWall 3
Global impact, but the North American region was
most affected
Cyber attacks are a blow to the capability and trustworthiness of any corporation. Understandably, it is very difficult to determine the exact number of ransomware victims,
because some businesses caught in the trap would choose
to protect their brand name over coming out publicly about
the cyber-attack. Today, the ransomware threat has become
a global epidemic.

PREVENTION IS BETTER THAN CURE


A widespread ransomware campaign detected in September
2014 placed fake advertisements on websites such as Yahoo,
AOL and The Atlantic. The attackers pressed CryptoWall

InfoSecurity Professional 25 July/August 2016

RE TURN TO

CONTENTS

In todays ruthless and competitive environment, cybersecurity needs to be foolproof, as it only takes a single
breach to inflict serious damage to your data and business.
2.0 into service, which used Adobe Flash to exploit browser
vulnerabilities and installed itself on the host computers.
The attackers stole assets from reputed websites to make
the malicious ads appear real.
Once a user clicked on the authentic-looking malicious
ad, the user files available on the system were encrypted,
and owners were denied access to the files until they paid
ransom for a decryption key.
Money is the main motivator for cybercriminals. If
they get ransom from a majority of their targets, they will
only get bolder, greedier and more ruthless. According
to the U.S. Department of Homeland Securitys website,
decrypting files does not mean the malware infection itself
is removed. What if the malware activates and locks files
multiple times in a year?
The ransom campaigns are launched against random
individual computers or against selected corporations that
have data in public and private clouds. The consequences
from campaigns aimed at individuals and small businesses
may be disastrous but limited to just those entities, but
attacks against government agencies could bring major
business, law enforcement and social services to a standstill.
Rather than acquiesce to ransom demands, it is time to
figure out what we can do so that we dont have to give in to
the demands and terms of malicious actors. This can only
be done if all the doors that lead to our data are closed, and,
in the case of an unauthorized entry, the invader must not
be able to take over the whole environment.

RANSOMWARE THREAT MITIGATION


In todays ruthless and competitive environment, cybersecurity needs to be foolproof, as it only takes a single breach
to inflict serious damage to your data and business. But in
case of a security breach, we must be able to recover our
systems without paying ransom, which ultimately translates into funding cybercriminals, thus making them bolder
and highly sophisticated. Below are a number of useful
measures that can help mitigate the risk of the ransomware
threat:
Keep up-to-date: Ransomware is a constantly evolving threat. It is important to keep up-to-date with

new developments with awareness trainings.


Impose and enforce strict employee practices:

Avoid visiting malicious or compromised websites.


Keep track of browser extensions and plug-ins.
Dont click spontaneously on links embedded in
emails.
Delete spam permanently from your mailbox.
Beware of phishing sites and traps. If you are not,
you may instantly expose your client to security
threats.
Dont install any unauthorized software.
Update software vulnerabilities and patches: Ensure
that software and operating systems in your organization are up-to-date with security patches.
Secure mobile devices: Equip all mobile devices with
security solutions and a remote-wipe program. Back
up their data routinely. If ransomware locks a mobile
device, the remote-wipe program should reset it to an
agreed recovery point.
Employ multilayered defense: Use multilayered security solutions like end-point, messaging and network
protection.
Onsite and offsite backup: Store, maintain and back
up data and configurations regularly.
Control system encryption: Two senior managers
working in tandem should encrypt the whole system.
They should also copy the decryption key to a designated, safe, unobtrusive location.

Ransomware is a thriving menace. With growing revenue, ransomware groups can continue to advance their
techniques. Security practitioners need to recover their
systems without paying ransom. There is no bulletproof
solution, but we can certainly cut the veins of ransomware
groups and bleed them to death.

Trained as a physicist and with a Ph.D. in science museum studies, RAJ


KAUSHIK entered the field of IT in 2000. For the past 15 years, he has
been involved in design, development and post-delivery management of
enterprise applications. He has written numerous research and technical papers and popular science articles.

InfoSecurity Professional 26 July/August 2016

RE TURN TO

CONTENTS

Accepting candy from a stranger is no longer like accepting candy from a stranger.
Learn what the worlds leading cybersecurity professionals do to protect their kids
from the dangers of the Internet. SAFEANDSECUREONLINE.ORG

A Program of the Center for Cyber


Safety and Education
C O N TA C T U S AT: w w w. S a f e A n d S e c u r e O n l i n e . o r g

MANAGEMENT

COST-CUTTING
THROUGH CLOUD
COMPUTING
BY VINCENT MUTONGI

SAVINGS NOW
DRIVES BOTH
PUBLIC AND
PRIVATE SECTORS
TO EMBRACE THE
TECHNOLOGY, BUT
DUE DILIGENCE IS
STILL ESSENTIAL
ILLUSTRATION BY ENRICO VARRASSO

InfoSecurity
Professional
28
July/August
2016
InfoSecurity
Professional
28
July/August
2016

ith the emergence


of cloud technology in the last decade, weve seen a
paradigm shift from traditional data
center on-premise environments to
data and applications being hosted
in the cloud. Cloud providers like
Google, Amazon, Microsoft, HP and
Oracle have emerged as major players
and taken control over the market.
Enterprises tend to play safe by
only embracing what is proven and
tested, while not paying much attention to the possibilities and rewards
RE TURN TO

CONTENTS

of adopting new technologies. Now that cloud computing


is maturing, public and private enterprises are bound to
cut down on costs by migrating to the cloud. But before
enterprises think of migrating their data to the cloud for
cost saving purposes, it is essential that they perform due
diligence by running cloud cost analysis tools. These tools
provide a holistic picture that can guide CIOs when making
decisions on whether to migrate to the cloud or stay with
on-premise deployments.

WHAT IS CLOUD COMPUTING ANYWAY?


Just in case you arent familiar with cloud computing, the
National Institute of Standards and Technology (NIST)
calls it a model for enabling ubiquitous, convenient,
on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned
and released with minimal management efforts or service
provider interaction.
As cloud migration gains momentum, some CIOs have
pushed back, expressing security concerns about storing
their data and applications in the cloud. As much as these
concerns are legitimate, we need to realize that a vast
majority of data breaches affect data stored within on-premise, traditional data centers. Gartner has debunked this
theory by saying that cloud security is more of a trust issue
than based on any reasonable analysis of actual security
capabilities.
In March 2016, the Cloud Security Alliance published
a list of cloud vulnerabilities called the Treacherous 12.
These are the top 12 cloud computing threats enterprises
face this year. By exercising due diligence, a majority of
cloud providers have put measures in place to mitigate
these threats. For instance, security updates are tested and
applied immediately to applications in the cloud, while
on-premise enterprises take about 30 to 60 days to apply the
same critical patches.
When all is said and done, cloud security will remain a
shared responsibility between the tenants and their cloud
providers.
Gartner outlines three common cloud types most providers offer:
A private cloud is a form of cloud computing that is
used by only one organization, or that ensures that an
organization is completely isolated from others.
Public cloud computing is a type of computing where
scalable and elastic IT-enabled capabilities are provided as a service to external customers using internet
technologiesi.e., public cloud computing uses cloud
computing technologies to support customers that
are external to the providers organization.

Hybrid cloud computing refers to policy-based and

coordinated service provisioning, used and managed


across a mixture of internal and external cloud services. Basically, its a mixture of private and public
cloud services.
Before delving into the cost savings of cloud computing,
lets explore various models most cloud providers offer:
Platform as a Service (PaaS) is a platform that allows
tenants to develop, run and manage applications without
the complexity of building and maintaining the infrastructure that is associated with large-scale applications deployments. PaaS provides simplicity, scalability and reliability.
Infrastructure as a Service (IaaS) is a virtualized,
standardized, highly automated offering where computer
resources, complemented by storage and networking
capabilities, are owned and hosted by a cloud provider and
offered to tenants on-demand.
Software as a Service (SaaS) is a software distribution
model that enables applications to be hosted by a cloud provider and made available to tenants using a thin web client.
The cloud provider uses a one-to-many model to service all
tenants based on existing service level agreements.
Before deciding whether to migrate to the cloud, federal
agencies and private sector CIOs need to ask themselves
several questions:
What is the return on investment (ROI) from such
big migrations?
How much will this migration reduce the IT expenditures for my organization?
What benefit-to-cost ratios will my agency realize as a
result of this migration?
What is the cost-benefit analysis of migrating to the
cloud?
With cloud adoption picking up speed, we are witnessing a large percentage of cloud applications running on the
web or the internet. The majority of these apps are webfront hosted in the cloud, with back-end scaling databases,
data warehouses and middleware. These virtualized shared
configurations help agencies cut down on costs rather than
relying on on-premise individualized configurations.
A 2013 IBM study, Under Cloud Cover: How Leaders
Are Accelerating Competitive Differentiation, found that
organizations that embraced the cloud reported nearly
double revenue growth and nearly 2.5 times higher gross
profits than those companies that were more cautious about
cloud computing. Further, the study found that the clouds
strategic importance to business was expected to double
over the next three years.

InfoSecurity Professional 29 July/August 2016

RE TURN TO

CONTENTS

88 percent of cloud users pointed to cost savings, and


56 percent of respondents agreed that cloud services have
helped them boost profits.
In 2014, TechTarget conducted a survey asking respondents to choose the three most important factors driving
their companies public cloud implementation. Cost savings
(54 percent), the need for elasticity/scalability (43 percent)
and faster provisioning of services (42 percent) were the top
drivers.
So, how does cloud migration help enterprises cut down
on costs?

LEVERAGING ECONOMIES OF SCALE


Because hardware availability is provisioned on a large
scale by the cloud provider, cloud computing allows organizations to enjoy large economies of scale. Since hardware
in the cloud is shared among different tenants, organizations are expected to cut costs by utilizing hardware
already available by the cloud provider. With the cost of
buying and maintaining hardware being the onus of the
cloud provider, this approach takes away the intricacies
involved in buying and disposing of old hardware. In addition to cutting down on hardware costs, cloud computing
helps to reduce storage space. An on-premise data center
requires agencies to purchase, maintain and dispose of
their old equipment. This delays business transactions
and escalates operational costs. Harnessing the clouds
economies of scale helps enterprises cut down on
hardware costs.

LOW LABOR COSTS


Cloud providers host applications online via the cloud. In
the cloud, labor assigned to manage infrastructure can
be significantly reduced, if not eliminated altogether, as
applications in the cloud run on automated and virtualized platforms. By migrating and leveraging cloud/human
resources, agencies will eliminate the need for in-house
IT staff. Cutting down on hiring and maintaining a large
number of employees keeps the staff lean and efficient and
reduces manpower and other human-related costs.

REDUCTION IN UPFRONT CAPITAL OUTLAYS


Most cloud providers are now offering pay-as-you-go models
that reduce the need for upfront capital outlays. In other
words, companies in the private domainespecially small
start-upsdo not need large infusions of initial capital to
launch new businesses. Such models help small businesses
that are struggling with IT budgets to start new businesses,
discover new ways to grow and bring additional lines of
profit into their organizations.

REDUCTION IN POWER/ELECTRICITY COSTS


From a government perspective, operating hardware and
software applications in an on-premise data center can
cost agencies millions of dollars in power consumption and
other related maintenance. Having your applications run
and maintained by a cloud provider in their environment
will definitely cut down on these expenses and save a lot
of money.
In the past, a number of cloud pundits have argued
that greater productivity, innovation, a more agile environment, improved SLA and licensing negotiationsnot
cost savingsare some of the drivers for cloud adoption.
This school of thought has dramatically shifted. According
to a 2013 study conducted by Rackspace and Manchester
Business School, of 1,300 companies surveyed in the U.K.
and U.S, 88 percent of cloud users pointed to cost savings,
and 56 percent of respondents agreed that cloud services
have helped them boost profits. Additionally, 60 percent
of respondents said cloud computing has reduced the need
for their IT team to maintain infrastructure, giving them
more time to focus on strategy and innovation. Further,
62 percent of the companies that have saved money are
reinvesting those savings back into the business to increase
headcount, boost wages and drive product innovation.
The potential dangers of not embracing cloud technologies are enormous. Unless and until CIOs think of embracing the cloud, enterprises will keep wasting millions of
dollars supporting applications hosted in legacy on-premise
data centers.

PAY ONLY FOR WHAT YOU USE


Most cloud providers do offer a la carte menus to tenants.
Tenants can pick and choose solutions that meet their
requirements. Tenants stand to benefit by choosing and
paying only for solutions that they need. This cuts down
on waste and redundancies.

VINCENT MUTONGI, CISSP, is a Washington, D.C.-based ISSO with


over 18 years of cybersecurity experience supporting federal government agencies. He is currently supporting Department of Homeland
Security Continuous Diagnostic Mitigation (CDM) and cloud migration initiatives.

InfoSecurity Professional 30 July/August 2016

RE TURN TO

CONTENTS

Me Fr
mb ee
Off ersh
er i p

Join millions of security pros who turn


to SearchSecurity every day to solve their
toughest security challenges.
(ISC) member, get your FREE membership, including access to our
monthly online Information Security magazine, covering issues such as:

Malware analysis beyond the sandbox


Defending against the digital invasion
Regaining control of cloud compliance
Emerging security threats from every which way
Strategies for perimeter network security
Get your free membership and online magazine in less than 2 minutes at:
www.SearchSecurity.com/ISC2


SUMMER READ

BULLSEYE BREACH

After Russian cybercriminals make off with 40 million credit card numbers,
an ad hoc team launches Operation Lemonade in this excerpt from (ISC)2
member GREG SCOTTS high-tech thriller, in which the good guys fight back.

Editors note: Liz Isaacs is the CIO of fictitious retailer Bullseye, headquartered in Minneapoliss Nicollet Mall. Jesse Jonsen is a fraud analyst with
Uncle Sam Bank, also in Minneapolis. She worked in the Bullseye fraud
department before taking the job at the bank.
The Bullseye eleventh floor conference room that Liz Isaacs reserved for
the report on the credit card investigation had large windows overlooking
Nicollet Mall. It was nearly 10 a.m., and shoppers scurried through the light
snow to buy Christmas gifts. Bullseye shoppers had no way of knowing that
when they swiped their cards at the checkout counter, their card numbers
would make their way to St. Petersburg, Russia.
The soft leather chairs around the oblong mahogany table filled up one
by one as the members of the investigative team entered the room and took
their seats. At one end of the table was Ryan MacMillan, looking groggy. In
front of him sat a quart of orange juice and a box of tissues. Liz Isaacs, in a
Vera Wang turquoise business suit with a Louis Vuitton raw silk blouse, stood
at the door to welcome her guests. The first in was Jesse Jonsen, still wearing her well-worn black blazer, red turtleneck, and blue jeans, followed by
Harlan Phillips, wearing his usual white shirt with rolled up sleeves and
dark tie.
Jesse! How have you been? said Liz, as she bent down to give her old
colleague a hug and faux kisses near both cheeks. I cant tell you how much
we miss you!
You know, I feel just the same way, Liz. Id like you to meet my manager,
Harlan Phillips.
Jesse and Harlan sat down on the opposite end of the table from Ryan.
Jerry Barkley came in next, with Agent Duncan behind him. When
Jerry introduced himself, Liz said, What a remarkable holiday sweater,
Mr. Barkley. Is it one of ours?
No maam. I picked it up at Goodwill last year. It was quite a bargain.
Jerry smiled at his lie, but noticed that Liz bit her cheek and winced.
And Agent Duncan, I hope youre well this morning.
Yes, maam, Ms. Isaacs, maam. By the way, did you receive the email
I forwarded from Jerry?
Lizs smile descended into a frown. Yes, thank you. Im sure well be
discussing it.
Agent Duncan and Jerry sat near Jesse, while Liz went to the center of
InfoSecurity Professional 32 July/August 2016

RE TURN TO

CONTENTS

Images by ThinkStock

the table and fumbled with the speakerphone. As soon as she achieved a dial tone, she went over
to Ryan and gave him a gentle shake on the shoulder, though she appeared to dig her fingernails
into him for good measure. He looked hazily across the table at the visitors.
Liz went back near the phone. Id like to welcome you here today. As you know, our CEO Mr.
Berger is out of the country on important business but agreed to join us by speakerphone today as
a gesture of good will and cooperation.
Liz looked at a slip of paper and punched in the phone number but couldnt get through.
Ryan, could you look up the country code for Barbados?
Jesse, Jerry, and Agent Duncan shared a furtive glance, each with a raised eyebrow.
Liz finally got Berger on the speakerphone and introduced everyone.
Welcome to Bullseye International Headquarters, everyone, said Berger. I understand the
FBI is concerned about a possible security issue?
Im Agent Duncan of the FBI. Thank you, Mr. Berger, for taking the time to meet with us this
morning. Banks across the country report that about thirty million people have had their credit
card numbers stolen, and everything points to Bullseye as the source of the leak.
Thats what Liz told me, said Berger. I find that impossible to believe, but we agreed to cooperate with your investigation.
The FBI appreciates your cooperation, said Agent Duncan.
First, lets bring everyone up to speed, starting with a report from Jerry Barkley on our forensic
investigation at the Lake Street Bullseye last night. Did everyone get Jerrys email?
Ill forward it to you right now, Mr. Berger, said Liz, typing on her laptop.
Mr. Berger, this is Jerry Barkley. Im in the IT security business on special assignment for
Uncle Sam Bank. I wrote down the key points of last nights investigation in some detail in that
email. So, Ill just summarize briefly for you now. Basically, we observed the data flow in a store by
making a credit card purchase at a checkout counter, and we watched the interaction when one of
your point-of-sale terminals booted up. We spent several hours analyzing this data, and that led us
to look at some structural things in your operations.
Did you verify that credit card information is being delivered to Russia? asked Berger.
Not exactly, said Jerry.
So all this discussion about a credit card leak is premature then, said Liz.
I wouldnt say that, Jerry continued. We found a nasty program in your point-of-sale system
named GreenPOS. It appears to capture credit card data from each swipe, attach the stores zip
code to the file, and then store it in unencrypted form with all the other credit card numbers from
that day of sales. My credit card number was appended to that file right after I swiped it.
Agreed, that number should be encrypted, said Liz, but that still doesnt imply were sending
anything to Russia.
We didnt find anything going directly to Russia. As I said in the email, the exfiltration
path goes from the store to one of three servers at corporate, and then to FTP sites in either
Houston, Indianapolis, or New Mexico. We dont know if the people operating those sites
are in cahoots with the bad guys, or if they are simply being used.
We have FBI teams visiting those locations as we speak, chimed in Agent Duncan.
Our guess, continued Jerry, is those files are all traveling to Russia. The Russians
group them in batches called bases on an underground Russian website.
Without a definite link to Russia yet, said Liz, why are you so suspicious of these
files you found?
For one thing, said Jerry, the file that contained my credit card number was
given a name to look like a program, when it was actually a document. The obvious
conclusion is someones trying to hide something.
But I thought we had the best security design in the industry, said Berger. I understand we have an excellent firewall and antivirus software. Hows it even conceivable that
somebody could do this?
Thats right, Mr. Berger, said Ryan. I designed it myself.
InfoSecurity Professional 33 July/August 2016

RE TURN TO

CONTENTS

Greg Scott, CISSP, is


based in Minneapolis
and author of Bullseye
Breach. Learn more
about the book at
www.bullseyebreach.
com.

Your design has a problem, said Jerry, looking at Ryan. Every store should have its POS
systems behind a firewall. All the bad guys had to do was sneak past your main firewall somehow,
and then it was easy to infiltrate the computers that run your checkout counters.
Ryan looked more ashen as the conversation continued. I took the advice of some of the finest
consultants in the tech industry when Ier, when we designed that system. Besides, I still havent
heard any definite proof that correlates Bullseyespecificallywith the bogus cards that are
showing up on the street.
I should tell you then about the ten credit cards our bank issued last week, said Jesse.
Over the speakerphone, Berger blurted out, What cards?
We issued ten credit cards last week to certain bank employees across the country, said Jesse.
They each went to their neighborhood Bullseye and bought one item. Then we canceled the cards
and put alerts on them. Three phony cards showed up yesterday afternoon, all near the locations
where they were first used. The only place they could have possibly come from was Bullseye. They
werent used anywhere else.
Several seconds of silence followed. Jerry looked at Jesse and mouthed, Wow! He gave a quiet,
respectful nod. Jesse smiled slightly at Jerry.
Wait a minute, said Ryan. We dont know where this so-called leak is coming from.
Yes, said Liz. How did it get on our internal servers?
We dont know yet, said Jerry.
Im surprised you havent gotten any alerts from your security team in Bangalore, said Jesse.
When I worked here, I found they were pretty good at keeping track of any suspicious activity
coming in or going out of your system.
I assure you, our team in Bangalore is watching all those alerts, said Liz. We spent a lot of
money putting all that in place.
How do they communicate back to corporate? asked Jerry.
Email, said Ryan. They email a group email address, and then a member of the security team
handles it.
Okay. Who are the group members? asked Jerry.
Ryan and Liz looked at each other.
Ummm, said Ryan. The group name is SecurityOps, and we set up Danielle Weyerhauser
as the only email group member Oh, wow! I just remembered Danielle left the company two
months ago. She was just an intern and left when we couldnt hire her.
Why didnt you hire her? demanded Berger.
Well, sir, said Liz. You instituted a hiring freeze for everyone except retail workers.
The room went silent again.
Jerry looked at Ryan and then Liz in disbelief. Ryan looked down. Liz stared straight ahead.
Jesse muttered under her breath, You mean I was replaced by an intern?
So nobody at Bullseye is looking at alerts, said Agent Duncan after several tense seconds.
Which means, for the past two months, at least, any email to the SecurityOps group from the
team in India disappeared into a black hole. You spent a lot of money to put a system in place and
then you didnt use it. I suggest you resurrect the last years worth of messages from Bangalore for
analysis. We have a team coming in from Quantico eager to take a look.
Liz started to protest but Berger cut her off. Why dont we hold off on assigning blame for now
and focus on minimizing the damage and protecting Bullseye customers?
An excellent idea, sir, said Ryan.
All I can say, said Liz, is that if somebody broke into our system, it must have been a highly
sophisticated operation.
No, said Jerry. They messed up, which made it easy for us to find their GreenPOS program.
They put it in the same folder where they collected stolen card data. Theyre not that sophisticated.
We can beat em.
So whats our next step? asked Berger.
Harlan looked at Jesse. Jesse looked at Agent Duncan. We have more.
InfoSecurity Professional 34 July/August 2016

RE TURN TO

CONTENTS

CENTER POINTS

Pat Craven is the director


of the Center for Cyber
Safety and Education
and can be reached at
pcraven@isc2.org.

FOCUSING ON EDUCATION
AND RESEARCH INITIATIVES

How Do You Size Up?


Help us find out by participating in our next big global workforce study.

BY PAT CRAVEN

Everyone does. You cant help but


compare. Its a normal thing to do.
Heck, were all human, and its just
natural to want to know Is my salary
bigger than the persons in the cube next
to me? Are you being paid what youre
worth? How does your company
stack up against others when it comes
to benefits? Or what about compensation and work environment in todays
fast-changing and competitive cybersecurity world? Well, it is time to find
out, and we need your help!
Every two years, (ISC)2 and the
Center for Cyber Safety and Education
team up with other security-focused
organizations, companies and
government agencies to conduct the
premier Global Information Security
Workforce Study (GISWS), and now
is the time for you to share your
insights. In just 20 minutes, you can
shed some light on your corner of the
security world and reveal the industry in a way that no one else does.
The GISWS survey has been
totally redesigned and refocused with
the help of new strategic partners
like the Executive Womens Forum
and the International Consortium of
Minority Cybersecurity Professionals,
along with guidance from top industry and research experts. The goal is
to provide an even better and deeper
look into the security workforce. And
it all starts with you.
By now, you should have received
an invitation to participate in the

survey from (ISC) and Frost &


Sullivan. If you trashed the unique
URL that was sent, dig it out (check
your spam box as well). Using that
link will keep you from getting
reminders over the next several
months asking you to complete the
survey. If you cant find the email,
you can still take the survey by going
to www.isc2.org and click on the link
there.
To gain a comprehensive picture,
it is important that as many people
as possible participate from as many
regions as possible. When we release
the study in February 2017, it will
have an entirely new look and feel.
Gone will be the big book full of
InfoSecurity Professional 35 July/August 2016

endless words and flat bar charts.


In its place will be webpages full of
interactive infographics and searchable data files. And, as an (ISC)2
member, we will give you exclusive
access to select online data! Also, the
new GISWS report will take a more
regional focus, providing you workforce information that pertains to you
and your local company and not just
a broad global reportinformation
that will be of interest to you whether
youre an employee or employer.
It all starts with you taking a few
minutes now to fill out the survey.
Do it now before your next crisis gets
in the way! Come on, you know you
want to know.
RE TURN TO

CONTENTS

Image by ThinkStock

YOU KNOW YOU WANT TO KNOW.

MINUTES WITH

JASON SACHOWSKI
Jason Sachowski lives in Toronto, Ontario, Canada and
is originally from Dryden in Ontario. He is the director of
Security Forensics and Civil Investigations at Scotiabank
and has been an (ISC)2 member for nine years.
EDITED BY ANNE SAITA

When did you realize you wanted


to pursue a career in information
security?

Going through high school in the


mid-1990s, there werent a great deal
of technology-based courses being
offered. As graduation approached, I
applied for both journalism/communication and film studies at a variety
of university and college programs.
After several rejections, I decided
to go back for one more year of high
school to focus on law and policing.
From there, I went on to study physical security management at Fleming
College in Peterborough, Ontario,
Canada.

In my graduating year, I was


speaking with the program coordinator about career options, where I
learned about a new program being
offered by Fleming College called
Computer Security and Investigation.
After doing some research, I came to
learn what information security and
digital forensics were all about, so I
decided to give the program a try. It
was probably well into my second
year of the Computer Security and
Investigation program when I started
to think that this could really turn
into a career, but I was still hesitant
because there really werent a lot of
jobs in the market for digital forensics. It wasnt until my last semester
when I was placed on my work term
when I came to realize that this is
what I wanted to do as a career. And,
well, the rest is history.
The financial industry is a prime
target for cyber attacks and therefore a bellwether for both problems and solutions. What do you
see happening within the banking
industry in terms of preventing
emerging and existing threats?

There are really a few sides of the


spectrum when it comes to emerging and existing threats. The first
is centered on the global changes
happening in the way we conduct
business. The digital transformation
most organizations are experiencing
InfoSecurity Professional 36 July/August 2016

is driving them to re-evaluate their


business models and become more
agile in finding new ways to meet
customer demands that dont tie
them down to the traditional brickand-mortar approach.
The second is how weas security
professionals and everyday usersgo
about making sure we protect our
personal and otherwise confidential
information in an always connected
and technology-driven society. With
demand growing for organizations
to provide their increasingly mobile
customer bases with products that
are accessible at any time and from
anywhere, the lines once separating
the different types of information
(e.g., banking, social media) are
getting blurred as devices become
smarter and provide users with
greater functionality.
Lastly, at the CEIC 2015 conference, I attended a keynote by Brian
Krebs, where he was discussing his
perspectives and insights into cyber
crime and cybercriminals. During
the Q&A session, I was able to ask
him, from everything he has seen
to date, what he thought the future
held for cyber crime. He responded
by describing how todays cybercriminals execute attacks independent
of each other and with little knowledge of their victims. Soon, well see
cybercriminals become much more
coordinated in their efforts and have
heightened contextual awareness
of their victims, which means that
cyber attacks will be better planned,
executed, and specific data targeted
for exfiltration.
An expanded version of this interview
will appear in the August issue of
Insights, a companion e-newsletter
for the (ISC)2 membership.

RE TURN TO

CONTENTS

PUT YOUR
BRAND IN THE
SPOTLIGHT WITH

CUSTOM
CONTENT
HOPE YOU
LIKE BEING
THE CENTER OF
ATTENTION

At Twirling Tiger Media, our dedicated editorial and graphics


team can create relevant and valuable content that engages
and nurtures your target audience and puts you center stage
as a solution to their challenges.
From concept to deliverables, we are your one-source
content solution.

Top Functions of Content


Acquire new customers/members
Increase brand relevance/influence
Increase brand engagement
Improve brand perception
Improve brand awareness
Establish brand as thought leader
Increase loyalty

Contact Bob Ostrow today at bostrow@twirlingtigermedia.com

Our content creation capabilities include:


Articles, Blogs, Case Studies, Content Marketing,
Content Strategy, Custom Content, Digital Media,
eBooks, Infographics, Inspirational Quotes, Leadership
Guides, Marketing Collateral, Press Releases, Publications,
RFPs and Proposals, SEO Copy, Success Stories, Web
Content, White Papers and more!
www.twirlingtigermedia.com

TWIRLING
TIGER media
creators of content you
can sink your teeth into

Twirling Tiger Media is certified as a womens business enterprise by the Womens Business Enterprise National Council (WBENC) and federally designated as a Women-Owned Small Business (WOSB).

Cybersecurity Team Training


for All Levels of IT Personnel

Through globally recognized IT security certifications and training programs, (ISC)


provides organizations with assurance that IT personnel have been tested on industry
best practices and that they possess broad cybersecurity knowledge.
From on-site training and online learning options to certification exam vouchers, our
training approach is customizable and flexible so that training is delivered effectively
and efficiently to your IT security employees at all levels. Optimize your training budget
with our tailored corporate training solution.

Get your staff trained and certified


Official Creator and Provider of: