Most Commonly Overlooked Components of Operational Security

I was recently asked to comment on the most commonly overlooked components of operational security. To get the correct answer, sometimes it helps to take a step back and make sure you are asking the right question. The question should be “How do you ensure that your security program satisfies your operational security requirements?” With that question, the overlooked components will be obvious.

Effective operational security requires an immense breadth of knowledge as well as an unforgiving level of technical depth and exacting performance. No one can keep all of the big picture requirements and the associated operational details in their head – so we have to work smarter. By that I mean that organizations need to adopt a comprehensive security framework such as ISO 27002 because it forces them into a disciplined process to reason about all of the major security areas and determine how each applies in the context of their business.

Second, we need help in getting the details right. If you have never read Atul Gawande’s Checklist Manifesto, I strongly urge you to do so. He documents scientific detail in the fields of medicine, air travel, and many others the dramatic improvements in outcomes that can be gained by making sure the details are performed correctly 100 percent of the time (e.g., using a pre-surgery checklist to ensure antibiotic was administered before surgery and the arm opposite the target operation has the words NOT THIS ARM clearly written on it).

The best way to ensure that critical operational security components are not overlooked is to combine a big picture framework with detailed procedures and checklists to guarantee  that the simple (but critical) actions are performed correctly 100 percent of the time.

What role should security analytics play in information security programs today?

No one can argue that analyzing the security state of your IT environment (in a comprehensive and integrated manner) and taking proactive measures to prevent security incidents is the right way to manage an IT operation.  

The problem with Security Analytics isn’t a failure of vision; everyone agrees that we should be able to take inputs from endpoints, deep network defenses, and to collect and integrate the security event information from all the key components in the computing environment.

Further, the problem isn’t a lack of technology or tools. Without getting into personal preferences, there are highly regarded products available from IBM (QRadar), RSA (NetWitess) and LogRhythm to name just a few.

The problem is that today, most organization are fundamentally incapable of deploying and managing these tools. Crawl before you walk and walk before you run.  The reality is that most organization have not yet mastered and deployed the prior generations of log analysis and security event management tools. They don’t know what normal traffic/behavior looks like so that recognizing anomalies is impossible. In addition, many organization struggle with remediating even simple vulnerabilities and misconfigurations that are found.

Take the simple example shown below.  We provide a technically sophisticated client with a simple analysis of its security vulnerabilities each month. Without belaboring the point, you can instantly see that even in an organization with skilled security staff there is no long term trend from weak security to stronger security – and this organization is far ahead of most.

SystemExperts provides a technically sophisticated client with a simple analysis of its security vulnerabilities each month.

Marketing words pitched by industry innovators and touted by security industry analysts may define the state-of-the-art, but integrated security analytics is far out of reach for the vast majority of enterprises.

The Future of Our Energy Grid: Vulnerabilities as it Shifts from Fossil Fuels to Renewable Sources

Our electric grid is comprised of generation facilities, high voltage transmission networks, substations, renewable point generation sources, and low voltage distribution networks.

Protecting the electric grid from cyber-attacks is complicated by its enormous scale – upwards of 7,000 power plants, more than 150,000 miles of high voltage transmission lines, and more than 50,000 substations. Some are managed by massive regional super utilities and others by small municipal utilities.  Add into this the interconnections among these power systems and the complexity is unimaginable.

Two further complications are the reality of old infrastructure that was designed to be robust against typical weather related events, but not today’s cyber threats and the asymmetrical nature of the threat. Inexpensive small attacks can have crippling impacts on the US economy.

The core large scale generation systems and high voltage transmission networks are better prepared to deal with cyber-attacks than the periphery. The North American Electrical Reliability Corporation (NERC) has developed rules governing Critical Infrastructure Protection (CIP). These rules describe both the physical and electronic controls such as authentication, authorizing actions, and monitoring for attacks.

Background Note: Cyber-attacks on electric grids are usually either Denial of Service (DoS) attacks, which tend to be brute force attacks intended to simply overwhelm the control computers or more sophisticated Business Process (or machine) Compromise attacks (BPC).  These BCP attacks target specific devices in the grid and disable them (think Iranian centrifuges).

The problem with wind and solar generation is that they are generally small scale facilities that connect at the periphery – the least cyber secure part of the grid.

One final problem to ponder is the culture of the US power industry itself; this is an industry that moves at glacial speeds. It is common for technology refresh cycles to be measured in 10 year increments. That is good from a durability perspective, but completely misses the mark from a cyber security perspective.

Ethical hacking: At WPI, a search for computer vulnerabilities

by Kaitlin Milliken, Correspondent, Worcester Telegram, July 16, 2017

WORCESTER – Students participating in Worcester Polytechnic Institute’s Cyber Security Club stare at their laptop screens, typing long lines of code.

They hope to find vulnerabilities in software and hack into a computer system. Each task they complete earns points.

Alex Gaines, president of the club, anticipates these weekend-long hacking competitions throughout the year.

“There’s no sleep involved,” he said. “It’s fueled completely by pizza and Mountain Dew.”

Mr. Gaines hopes to take his skills from WPI’s cyber security events into the workplace after graduation. One possibility: the growing field of ethical hacking.

Unlike cybercriminals, ethical hackers intentionally break into companies’ computer networks and report the vulnerabilities they discover. Businesses can then make changes to prevent future security liabilities.

As more information becomes digital, hacking becomes a greater threat. In 2016, more than 188,000 residents in Massachusetts were affected by a digital security breach, according to the Massachusetts Office of Consumer Affairs and Business Regulations. To reduce the likelihood of a data breach, companies increasingly rely on cyber security defenses, creating an increased demand for ethical hackers.

According to Randstad Technologies, an international company with locations in Woburn, 46 percent of internet technology executives name security as a focus for this year. Randstad’s Hot Jobs Report shows a 15 percent growth in cyber positions during 2016.

“We’re seeing tremendous growth [in the cyber security industry],” said Michael Berlin, a representative from Randstad. “It’s almost double digits every single year.”

However, the demand for specialists eclipses the supply of ethical hackers. As a result, security experts can command high pay and lucrative benefits. The median salary for a security engineer is $129,000 annually.

“The opportunity … is bigger than it’s ever been,” Mr. Berlin said. “We see cases where employees are starting to eclipse management salaries.”

Companies across the country — including Sudbury-based SystemExperts Corp. — have capitalized on the demand for ethical hackers and specialize in cyber security services.

SystemExperts Chief Executive Officer Jonathan G. Gossels said he takes pride in his company’s long-term relationships with clients, some spanning as long as 25 years. Customers range from the Mount Auburn Cemetery in Cambridge to JPMorgan Chase. SystemExperts tests clients’ digital defenses on a yearly basis or if there is a change in management.

Mr. Gossels and his team of nine experts determine how much security each company needs based on its size and the types information it stores. After this assessment, analysts look for potential risks, using techniques that include ethical hacking.

“Everyone needs to do it,” Mr. Gossels said. “It’s like an annual physical.”

SystemExperts’ tests fall into two phases. First, analysts conduct “Internet Exposure Profiles,” focusing on vulnerabilities in a company’s firewall. The test aims to strengthen the digital filter that distinguishes benign web traffic from malicious hacking attempts.

The second assessment, referred to as “Application Vulnerability Testing,” determines the risk of internal hacking. At this stage, specialists ensure that users within the company cannot change their online privileges and gain access to sensitive information, including customer credit card and Social Security numbers.

“There’s a lot of money invested in programs [for the tests], but the most expensive part is having smart people who use them,” Mr. Gossels said.

According to Mr. Gossels, running these tests takes three to five days. While programs scan the computer networks, analysts convert pages of raw data into tangible security suggestions before sending reports to clients.

Although the company has historically looked for employees with years of experience, SystemExperts hired its first recent graduate last year from Pennsylvania State University. Mr. Gossels has also created internships for students with interest in cyber security.

Outside of specialty groups, companies of all sizes that store personal information online employ cyber security experts.

Middlesex Savings Bank of Natick, which operates a branch in Southboro and a commercial office in Westboro, has an in-house technology team. While employees fix day-to-day computer issues, they also focus on keeping digital data private. They work with security consulting firms to test their network’s defenses. The team then makes changes based on the results.

Michael Sundberg, bank vice president-information technology program assurance, says ethical hacking helps build multiple layers of safeguards to keep customers’ banking information safe.

o fill ethical hacking positions, businesses may provide training for less skilled analysts. Specialized courses allow junior employees to become certified in ethical hacking and penetration testing. Companies also reach out to those who have enrolled in comparable educational programs during their time in school.

WPI offers cyber security classes to its students. The department celebrated its 20th anniversary last year.

“We teach people both sides: how to defend … and how to think like an attacker,” said Thomas Eisenbarth, an associate professor of electrical engineering.

Mr. Eisenbarth teaches Introduction to Cryptography and Communications Security, a class that focuses on protecting digital information. He said the course is full most semesters.

While hacking can create valuable job prospects, students could abuse their skills. To prevent the misuse of hacking techniques, cyber security courses require members to sign an ethical hacking agreement. The document specifies that students can only to practice hacking on class related activities, prohibiting unmonitored activity.

Undergraduates at WPI can enroll in digital security courses, and graduate students can pursue a master’s degree in computer science with an emphasis in cyber security. According to Mr. Eisenbarth, graduates with an ethical hacking background will help meet the demand in the job market.

“Increasingly, our lives are online,” Mr. Eisenbarth said. “Transactions are digital and we need more security.”


The Best IT Security Policies Reflect the Value of Simplicity

90 percent of what we do to help people get better security is focusing on straight-forward common sense and having consistent policies and procedures.

To be good at what we do, we always work to make things as simple as possible for our customers because we recognize human behavior, and it is so much easier to remember and do simple things.

People often think of IT security as lots of mathematics and ones and zeroes, but human psychology is an equally important part of the field. Processes and procedures that take human behavior into account are always going to be much more effective.

We often see organizations that have security policies that are very long, intricate documents that need to be read and reread and reread to understand and remember. A shorter, more concise document is better.  Even better, the best policies are ones that are enforced through software or hardware so they do not have to be remembered.  Here are a couple of examples.

Think about security passwords. We all know that complex passwords (case sensitive, allowing special characters, etc.) are more secure and should be changed on a regular basis (depending on the business requirements, perhaps every six months). But who remembers to do that or really wants to do that on their own? Software is available to help employees manage these changes automatically, rather than requiring them to do it by themselves.

USB drives are a leading cause of viruses and malware – but people use them anyway. The solution?  Software that automatically scans all devices prior to use.  The result is the best of both worlds, simplicity and security, a combination of benefits we strive for.

When it comes to IT security, the bottom line is that simple and straight-forward is smart.

What Comes First, the 27001 or the 27002 ISO Standards?

There is something quirky about the 27000 series of standards published by the International Organization for Standardization (ISO).

Perhaps it is presented deliberately this way as a lesson in due diligence. Perhaps it is just a random error. But the standards are in the wrong numerical order. Judging from our interactions with company IT organizations, this has sowed general and widespread confusion that should be addressed.

Namely, we have a lot of folks coming to us and telling us that they would like to be “27001 compliant.” Intuitively, this makes sense. You’d want to take care of the first in the series first (27001) and then move onto 27002.

Except, no.

Snatch the pebble from my hand, Grasshopper. You must take care of 27002 first. This is the key document standard for security-related IT issues. Creating a security policy, identifying bad guys, stopping them from accessing your network, those essential sorts of things that would be reckless for an organization of any size to ignore. Security 101, so to speak.

After mastering the 27002 standards, then and only then should your organization consider tackling 27001.

27001 is the management piece – who is managing what in your processes, developing continuous quality control – factors that are important for giant enterprises with a lot of people and departments to manage. This is more like Management 101, and frankly, a lot of it is intuitive. For smaller organizations with some management expertise (or just plain common sense), 27001 may be unnecessary.

Yes, it is is confusing. For example, 27001 has an appendix in it. It is called “27002.” Say what?

The bottom line is that an organization of any size interested in developing an IT security  program should align with requirements in 27002 first, and then they can think about the requirements in 27001 later.

Last comes first. Makes perfect sense. Not really, but that’s the way it is.


Security Experts Share Top Tips for Protecting Unstructured Data

by Nate Lord, Digital Guardian, May 22, 2017

19 security professionals and business leaders share their top tips for protecting unstructured data.

From the contents of emails to intellectual property, business plans, proprietary training documentation, and much more, most enterprises manage vast amounts of unstructured data containing valuable and sensitive information. The sheer volume of unstructured data created and managed by most enterprises can be enough to drive up storage costs substantially. In addition to managing unstructured data, understanding what unstructured data is sensitive and protecting it is a crucial concern for the modern enterprise.

But protecting this data can be challenging due to the nature of unstructured data and the challenges that often exist in identifying where it resides within the enterprise network, protecting it from unauthorized access, and preventing it from exiting the secure company environment.

To gain some insight into the most effective tactics and strategies that today’s security leaders turn to when it comes to protecting unstructured data, we asked a panel of security pros and other business leaders to answer this question:

“What’s the most important tip for companies looking to protect unstructured data?”

Find out what our experts suggest for better protecting your company’s sensitive unstructured data by reading their responses below.

Jonathan Gossels

Jonathan Gossels is president of SystemExperts, an IT security and compliance consulting firm.

“Most companies are very good at protecting data that they know about and consider sensitive…”

They restrict access to the HR systems where compensation data is available. They put access controls and monitoring procedures on systems that store critical intellectual property like formulas or key financial analytics.

Typically, they have formal policies and associated technology deployments and procedures to protect sensitive data.

When someone downloads that data from a secure environment into an Excel spreadsheet or a thumb drive, all the controls are gone.

Technology can’t solve this – this is a human problem. It can only reasonably be addressed through appropriate use policies and extensive and ongoing user awareness training. Employees need to understand: DON’T TAKE SENSITIVE DATA OUT OF ITS CONTROLLED ENVIRONMENT!

To read what others have to say about protecting your company’s sensitive unstructured data, click here.

Tips to Protect Against Ransomware

Following the Wannacry outbreak, we were reading about another attack, called Adylkuzz. Both cyberthreats rely on a Windows bug that was patched on March 14 and only affect PCs that haven’t installed the latest version of Microsoft’s software updates.

In light of this news, I thought it would be timely to talk about some common sense recommendations for dealing with ransomware.

Most important, if at all possible, you don’t want to react or try to remove ransomware, you want to prevent it from ever happening. It sounds like stating the obvious — and it is!

How do you prevent it from happening? The good news is that like phishing exploits, the vast majority of recommendations are straightforward changes to software or the operating system that you use.

  • Keep your browsers, plug-ins, operating system and anti-virus up to date.
  • Don’t click on links in emails you are not 100% certain of.  Just don’t!  Many ransomware attacks are using the tried and true phishing techniques of spamming you with malicious attachments or URL links.
  • Don’t click on ads: even on sites you trust.  Another common method is when the attackers compromise legitimate sites embedding malware in ads.  Use ad blockers in your browser if you can.
  • Don’t visit suspicious or unreliable web sites.
  • Software or system changes:
    • Show hidden file extensions to make it easier to spot suspicious files
    • Don’t allow emails with .EXE extensions or double extensions (e.g., .PDF.EXE)
    • Scan ZIP archives sent in email
    • Disable the Remote Desktop Protocol (RDP)

Having said all that, just in case you don’t prevent it from happening, the single most important task is to backup all of your important data regularly to an offline source.  Offline can be as simple as a USB drive that you only plug into your system during the backup process and then unplug immediately after it is done (Note: when you do plug this USB drive into your system to do the backup, the very first thing you should always do is scan it for viruses).  By doing regular backups, if you are hit with ransomware, you have a safe copy of all of your data.


Disaster Recovery & Cybersecurity

I’d like to share answers to questions recently asked about disaster recovery.

1. What advice would you give to tie cybersecurity protection and IT disaster recovery together for business continuity?

There are a number of activities performed by the IT operational group within an organization that deal with Disaster Recovery. They include performing data backups, using primary/backup datacenters, and replicating data to backup datacenters. In many situations, determining the criticality of systems to determine what gets backed up and how often it gets backed up is done in an ad hoc manner and not driven by a sound set of risk management principles. Developing and implementing a formalized Business Impact Analysis process will allow a company to get inputs from the business departments (as to what’s important) and help justify all the decisions made with respect to the following:

  • Recovery Time Objective (RTO) or how much time before failure of the system hurts business
  • Recovery Point Objectives (RPO) or how much data (in time) can the company afford to lose
  • Redundancy strategies
  • Backup frequencies

The criticality of a given system drives these decisions. So, if a system were to fail or otherwise be impacted by an incident, a sound plan can be established to either:

  • Automatically failover to a redundant system with replicated data
  • Obtain and restore from backup at a backup datacenter location
  • Obtain and restore from backup at the primary datacenter location

2. How can one use Disaster Recovery-as-a-Service to protect against or solve for security incidents?

DRaaS is not necessarily a new thing. Datacenter service providers have other companies have offered DR services like hot sites, warm sites, and even cold sites for years. The problem has always been a balance of the cost of having a hot site or mirrored image of the system and being able to automatically failover versus the cost of having a warm site (location with equipment but the systems and backup data will have to be loaded) or a cold site (building only). Using a DRaaS provider allows a company to utilize a cloud-based virtualized configuration (hot or warm site) with a much less reduced cost. If as particular system were to fail or otherwise be impacted by an incident, the DRaaS provider could be used to bring up the impacted system in a quicker manner than having to go through the manual process to (1) obtain the backup tapes, (2) move them to the backup site, (3) configure the systems, (4) load the backups, (5) test that the backup and system are fully operational, and (6) point all other systems to the backup system.

3. How can IT disaster recovery and a strong cybersecurity plan complement each other to protect sensitive data?

Establishing a formalized Business Continuity and Disaster Recovery process, driven by a well-maintained Business Impact Analysis process, can ensure that all activities associated with a given disaster (i.e., including failed systems, security incidents, or even natural disasters) can be accomplished based on proper planning and sound decision-making.


How to secure data across multiple platforms

by Esther Shein, Contributing Writer,, April 24, 2017

When you adopt cloud services, some of your data is inevitably out of your direct control. Here’s what you need to know.

By now, moving at least some business processes to the cloud is not a question of if but when. So how do you keep your information safe while embracing all the benefits cloud computing offers?

Even if the enterprise is using private clouds and virtualization, your data may physically reside in infrastructure that is owned and operated by an external service provider.

When control is shifted to a third party that owns, operates, and manages infrastructure and computational resources, it is incumbent upon security professionals to put measures in place to maintain the safety of their data. It comes down to doing your research and due diligence, figuring out your threshold for risk, and not giving up all of the keys to the castle.

Ask questions, conduct audits

There is no single measure or technique that can keep a company’s data secure, regardless of whether you use an on-premises data center or the cloud, notes Paul Hill, senior consultant at System Experts. “When using the cloud, an organization has to understand what responsibilities are outsourced to the cloud vendor and what will remain the responsibility of the organization,” he says.

First and foremost, ask for credentials when evaluating a cloud service provider (CSP). What level of trust and reputation does the provider have in the market? How will it protect valuable data and personal information? “It’s important to ask these questions and have the CSP describe their security operational controls, such as how they handle security breaches and how threats are addressed, as well as how certain insider threats are identified and countered,” advises Thomas Hogan, sales specialist for BT Cloud Compute. Additionally, organizations should deploy identity access management to control the security credentials in the cloud and manage who has access to what information.

Hill agrees: “Without careful oversight, it is all too easy for someone in an organization to misunderstand the responsibilities and assume that the cloud provider is doing more than they really are.” For example, if a CSP states that it has achieved PCI compliance, does that mean that your applications are automatically PCI compliant? Or is the scope of the compliance limited to the payments made by customers to the CSP? “Strong IT governance by knowledgeable individuals is essential, or the organization should engage a third party with the expertise to review the issues,” he says.

“If your organization is required to keep its data within a geo-location due to regulatory issues, you should make the CSP describe how it will ring-fence or guarantee data will not cross borders,” adds Hogan, “It should also address access methods, encryption techniques, and all authentication processes needed to access data.”

In terms of the responsibilities the CSP is willing to provide, the organization needs a mechanism to determine how well the service provider is implementing the security controls, Hill says. “This is typically done by a combination of testing and relying on independent security audits under a compliance program,” he notes. “In some cases, an organization may not be satisfied by a compliance statement, and it may require that it perform its own audit.”

This tends to be more practical when using a small cloud provider. Amazon, Microsoft, and Google generally don’t allow customers to perform their own audits, he points out: “Customers of those providers usually have to be satisfied by compliance certifications and some form of testing that they can perform.”

In some cases, depending on the sensitivity of the data and the nature of the customer relationship, an organization may want or even need to assume some of the responsibilities the CSP is willing to provide, says Hill. For example, an organization might determine that it needs to encrypt its data at rest. Many cloud services provide some level of cryptographic key management. But an organization might decide that the cloud provider should not be able to decrypt the data.

“In that case, the organization will need to assume all aspects of key management or use a third party to perform the key management,” he says. “If an organization wants the ability to see any subpoenas served and control the response to them, then encrypting the data with keys under its own control is a critical control.”

To read more about securing data across multiple platforms, click here.