Security Disciplines Convergence
09Nov

How Relevant is Security Convergence?


“Organizations should adopt a comprehensive and integrated strategy that encompasses all areas of security risk”
(ASIS Standard)

Historically many organizations have managed security functions as independent functions without recognition of the interdependencies between the physical and the logical security world. 

Convergence of the security disciplines is key to an effective enterprise security risk management program. Failure to integrate the disciplines would most likely increase the level of risk for an organization and could introduce unnecessary vulnerabilities. At a minimum, I am talking about the information and physical security world. But, one could also conclude that bringing in Privacy, Risk, Compliance and Governance also makes sense.

I am not surprised when I talk with a member company (or potential member company) to learn that their security functions are in silos with not much cross communication/collaboration going on. I have even been engaged with members whose information security and physical security functions in silos to the point whereby one side is unaware of the other’s activities. This is an obvious enterprise risk management (ERM) challenge, but there are organizations that continue to function in this manner.  

Security Convergence: A Holistic Approach to Security

Converged security/risk management offers a more holistic approach and there are many benefits. In addition to physical and logical security, risk management and general business benefits can also be realized. To be clear, I am not merely talking about the merger of security organizations (although that is a viable option), but more about developing practices, policy and governance that ensures that the all security related activities function in a coordinated way with each discipline supporting the others.

The first benefit from convergence is the cost savings that can be realized. The re-alignment of teams may allow for better utilization of personnel resources. This could mean the re-allocation of resources to fill gaps and cross training team members to perform multiple duties in either domain, etc. Leveraging teams in a more efficient manner makes good business sense and builds continuity across all of your security related functions. Finally, convergence will illuminate duplicate roles and allow for the opportunity to better address resource allocation.

Convergence should include convergence of technology as well. Think about the technology tools used in the physical security realm today. IP based centralized security systems for CCTV, access (physical) control, alarm monitoring, and the associated systems. Bringing all of that together in a security operations center (SOC) provides a single (maybe multiple SOCs) collection analysis point for security professionals. This enables the sharing of all relevant security/threat/risk data. Furthermore, having security analyst(s) from both disciplines in the same SOC increases the likelihood and speed of information sharing across the teams. Bringing teams together is to everyone’s benefit.

Finally, security convergence can provide a single “hand to shake” for the organizations. Alignment of all security functions under a single security organization lead by an executive-level security person (be it CSO or CISO) would shorten the timeline of relevant information provided to senior leadership and decision makers. Furthermore, it should reduce instances of inaccurate or erroneous information making its way to the executive suite. Depending on the structure and culture of the organization, the CSO/CISO could report into the Chief Risk Officer, the Chief Information Officer or even the Chief Executive Officer. Also, security risk is a board level conversation and should be sponsored by and owned at that level.

Benefits of security convergence include, but are not limited to:

  • Cost saving through the merger of teams and technologies
    • Reduction in tool duplication
    • Reduction is role duplication
    • Allows for the re-alignment of resources to better fit business/security goals
    • Improved information sharing
  • Increased efficiencies through the leveraging of the teams and technologies
  • Single point of contact for the flow of information to senior leadership
  • A single enterprise security vision
    • Elimination of internal “turf wars”
    • Elimination of silos of information
  • Improved alignment of business and security goals

The idea of security convergence is not new. In fact, convergence is happening whether you realize it or not. Use of the same infrastructure for information and physical access control is now common and can result in real savings, improved risk mitigation and increased business and security efficiencies, we should continue down this path and accelerate the effort.


Get access to more content by becoming a member of Consortium today.


Steps For Cyber Security Blog Header Template
14Sep

5 Fundamental Steps for Cyber Security


Every business connected to a network is data rich target for cybercriminals. “Ransomware,” which was a term rarely unheard of until a few years ago, is now a daily threat. IoT hacking, DDoS attacks, and internal threats are all a reality today as well, making the job of IT security teams never complete. And as cyber threats and attack methods evolve, so must the way businesses think about IT security.

Michal Zanga, formerly of the Royal Bank of Scotland, stresses that having a cyber security policy document in place is the first step in protecting businesses data and other digital assets from malicious actors. “You have to start with a policy in place,” says Zanga, “and it has to be comprehensive across the organization.” But the policy is just that-a first step in a series of actions IT teams and businesses must commit to and stay on top of.

The whitepaper CISO Best Practices: The Starting Point for Cyber Security -- available to members of Consortium -- is based on the premise that, at some stage, all networks will face attacks that expose flaws in the system. On top of building a stakeholder approved policy document, the article covers four additional steps IT teams should take in order to be prepared for when the attack happens. These additional steps include:

  • Assume you will be breached and develop a response plan
  • Using external parties to test the system and obtain valuable, independent assessment data on how to strengthen current and future security posture.
  • Addressing the internal and external channels, including those that may come from stakeholders and employees.
  • Planning ahead and instituting a system for promptly addressing ongoing changes.

Join Consortium today to get access to the full article along with other information that will help keep your data, digital assets, and business brand secure.


Crowd Strike Training Event Header Va
07Sep

Half Day Training Course: Cyber Security - Advanced Threat Hunting - Virginia


Wednesday, October 11 | 8:00am - 2:00pm EST
Venue: Hilton - Crystal City, VA


Security Operations Centers must evolve if they hope to hunt for and deal with sophisticated, file-less threats capable of evading standard security measures. Only the right combination of technology, intelligence and people is key to the team’s ability to detect, hunt and eliminate threats and immediately execute a cyber crisis response plan.

On October 11, join CrowdStrike and Consortium Networks for an intense adversary threat hunting program; learn the latest advanced adversary techniques and latest tradecraft. You will advance your threat hunting skills and methods and take your organization's ability to detect and hunt to the next level.

Through real world examples and war stories our world renowned 24/7 Overwatch Threat Hunting Team will show you new and existing techniques adversaries use; followed by our Response Team training you on how to hunt for new and existing techniques.

Highlights:

  • You will learn about the latest real-world hacking techniques
  • You will leave knowing how to hunt for these techniques in your environment
  • Bring your own laptop, log into our cloud environment and hunt for threats yourself using your newly acquired skills
  • See a live red team/blue team exercise

Who Should Attend:

If you manage a Security Operations Center; are a Security Analyst; Threat Intel Analyst or Incident Responder this is an immersive and interactive training to hunt, identify and get ahead of your attackers before a mega-breach occurs.

Agenda:

8:00AM - 8:30AM

  • Breakfast is served

8:30AM - 10:30AM

  • Overwatch Threat Hunting - War stories from the trenches; what CrowdStrike sees from 51 billion endpoint events

10:30AM - 12:30PM

  • Training - How to hunt for new and existing adversaries

12:30PM - 2:00PM

  • Track the steps of a real pen-tester through a Red Team/Blue Team Exercise (working lunch)

2:00PM

  • Close

register-Cyber-Security-Training-Course.png#asset:2286

Register now and take your organization's ability to detect and hunt to the next level.


Get access to more content by becoming a member of Consortium today.


Bec Campaigns Header
29Aug

BEC Campaigns Target Organizations Across Sectors Using Credential Phishing


Business email compromise (BEC) scams are widely viewed as being a type of cybercrime that necessitates relatively minimal technical ability. Despite this, analysts industry-wide have observed BEC operators progressing from simple schemes such as 419 and fake lottery scams – in which unwitting victims are simply duped into sending payments to fraudsters after being promised large sums – towards experimenting with malware and creating sophisticated networks in order to quickly and reliably move money from one account to another. 

Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity; the campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites. 

Using a VirusTotal retro hunt, Flashpoint analysts identified a campaign in which threat actors sent 73 malicious PDFs in credential phishing campaigns between March 28, 2017 and August 8, 2017. These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organizations, real estate firms, and churches, with the goal of harvesting user credentials.

Of the 73 files identified during the retro hunt, analysts were able to identify 70 unique Uniform Resource Identifiers (URIs); many of these overlapped based on domains. Attackers used 29 different domains across these documents.


BEC-Campaigns-1.png#asset:2294

Image 1: A sample of the domains utilized by the actors across campaigns.

A potential victim of this phishing campaign would receive a malicious PDF containing a malicious link. Upon opening the PDF, the potential victim would be presented with a prompt to view a secure online document; when clicked, this prompt would redirect the victim to a phishing website to input their login credentials.


BEC-Campaigns-2.png#asset:2295

Image 2: Upon opening the malicious PDF, a potential victim sees a prompt to access a secure online document, which directs them to a phishing page.

Once on the phishing page, the potential victim is presented with several options to “download” the file and are asked for login credentials for their organization. Once a victim enters their login credentials, the script re-directs the victim to a document or web page owned by the targeted organization.


BEC-Campaigns-3.png#asset:2296

Image 3: A view of the phishing webpage for harvesting credentials.

If valid credentials were submitted, the actors behind the phishing campaign would harvest them. Once harvested, the threat actors would then use the compromised accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts. This practice helps threat actors committing Business Email Compromise (BEC) gain a better foothold into target organizations, and allows them to potentially breach additional organizations. Actors can also use the credentials from compromised accounts to monitor inboxes for additional incoming and outgoing information. 


Who’s Responsible for the BEC Campaigns?

Based on analysis of the phishing emails identified by Flashpoint in VirusTotal, analysts assess with moderate to high confidence that these attacks are likely being carried out by attackers located in Western Africa due to the originating IP addresses of the phishing emails, as well as the actors’ tactics, techniques, and procedures (TTPs), such as the focus on credential phishing, the relatively minimal use of malware, and a lack of operations security (OPSEC) practices on the attackers’ part. 

Based on artifacts left in the PDFs, these documents likely represent a small glimpse into the credential phishing community of West African cybercriminals.


BEC-Campaigns-4.png#asset:2297

Image 4: A phishing email sent from a cloud-provided email service provider has a Nigerian IP address as the originating IP. 

While BEC actors operating out of western Africa are broadly considered among the lowest-skilled cyber threat actors, they have been responsible for more than $5 billion USD in fraud in the last three years. In comparison, ransomware was projected to be a $1 billion USD industry in 2016, and Europol estimated that the now-defunct AlphaBay Market was responsible for almost $1 billion USD in business between its creation in 2014 and its closure in July 2017. 

BEC actors and cybercriminals located in West Africa typically do not typically make significant efforts to enhance their OPSEC practices or conceal their locations; however, they are still largely successful in stealing billions of dollars from publicly traded and high-profile organizations each year. 

Additional information on Business Email Compromise (BEC) is available in the Cisco 2017 Midyear Cybersecurity Report. Access it here.

 

Key Takeaways

  • Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity; the campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites. 
  • Using a VirusTotal retro hunt, Flashpoint analysts identified a campaign in which threat actors sent seventy-three malicious PDFs in credential phishing campaigns between March 28, 2017 and August 8, 2017. These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organizations, real estate firms, and churches, with the goal of harvesting user credentials.
  • In this campaign, attackers used compromised email accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts. This practice helps threat actors committing Business Email Compromise (BEC) gain a better foothold into target organizations, and allows them to potentially breach additional organizations. Actors can also use the credentials from compromised accounts to monitor inboxes for additional incoming and outgoing information. 
  • Analysts assess with moderate to high confidence that these attacks are likely being carried out by attackers located in western Africa due to the originating IP addresses of the phishing emails, as well as the actors’ tactics, techniques, and procedures (TTPs), such as the focus on credential phishing, the relatively minimal use of malware, and the lack of operations security (OPSEC) practices on the attackers’ part.

This article was originally published on Flashpoint’s blog and was republished with their permission. 

Flashpoint Sources: 
https://www.ic3.gov/media/2017/170504.aspx
https://documents.trendmicro.com/assets/resources/olympic-vision-business-email-compromise.pdf  
http://abcnews.go.com/amp/Technology/wireStory/justice-dept-announces-takedown-online-drug-marketplace-48745482
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017


Get access to more content by becoming a member of Consortium today.


Crowd Strike Cyber Security Training Course
22Aug

Half Day Training Course: Cyber Security - Advanced Threat Hunting


Thursday, September 21 | 8:30am - 2:00pm EST
Venue: The Westin Boston Waterfront, 425 Summer St. | Boston, MA 02210


On September 21, you're invited to join CrowdStrike and Consortium Networks for an intense adversary threat hunting program.

In this exclusive event, you'll learn the latest advanced adversary techniques and tradecraft and advance your threat hunting skills and methods.

Highlights:

  • You will learn about the latest real-world hacking techniques
  • You will leave knowing how to hunt for these techniques in your environment
  • Bring your own laptop, log into our cloud environment and hunt for threats yourself using your newly acquired skills
  • See a live red team/blue team exercise

Agenda:

8:00AM - 8:30AM

  • Breakfast is served

8:30AM - 10:30AM

  • Overwatch Threat Hunting - War stories from the trenches; what CrowdStrike sees from 51 billion endpoint events

10:30AM - 12:30PM

  • Training - How to hunt for new and existing adversaries

12:30PM - 2:00PM

  • Track the steps of a real pen-tester through a Red Team/Blue Team Exercise (working lunch)

2:00PM

  • Close

register-Cyber-Security-Training-Course.png#asset:2286

Register now and take your organization's ability to detect and hunt to the next level.


Get access to more content by becoming a member of Consortium today.


Blog Header Defendpoint Product Testing Report
02Aug

Avecto Defendpoint | Standardized Product Testing Report


Avecto Defendpoint is an endpoint security product that seeks to combine privilege management and application control technology into a single agent capable of eliminating administrative rights across an enterprise. With privileges being assigned to applications rather than users, individuals can still access the applications they need to perform their jobs. Defendpoint gives users the same experience as administrators and collects data that can later be configured to develop a comprehensive end-user solution. But finding the right balance between user freedom and security can be challenging. Enterprises have multiple user types to balance, each which require a tailored endpoint solution that doesn’t compromise security efficacy.

Consortium Standardized Product Testing

Using standardized control objectives, Consortium performed independent product testing of the Defendpoint application. A series of injects against the testing (victim) system were performed by the Consortium assessment team. These tests included:        

  • Baseline system test (no security controls in place)
  • Product baseline (a high flexibility configuration)
  • Product tuned (a low flexibility configuration)

The Results

Avecto Defendpoint is a uniquely valuable solution for post-exploit protection of endpoints. Our full results include:

  • Raw testing data analytics
  • A full list of the injections used to test the product
  • Detailed findings and observations with screenshots from the HTTP shell from the attacker’s point of view

Get full access to the product testing report that includes the procedures and results from The Consortium’s standardized product testing of Avecto Defendpoint.

view-the-report.png#asset:2164


Get access to more content by becoming a member of Consortium today.


Ciso Dlp System
01Aug

Developing, Implementing and Maintaining a Data Loss Prevention (DLP) System


A data loss prevention program (DLP) ensures sensitive and critical data is not sent outside the corporate network in an unauthorized manner. Unfortunately, many organizations rely on a software-only approach to monitor and control the flow of data, resulting in large gaps that leave room for internal and external threats to damage business assets. Though technology plays an important role in any effective DLP program, it's only one component. Corporate governance, team resources, and processes also need to be established in order to maximize security within the DLP framework.

Developing a business-wide DLP program requires IT to create and conduct a detailed risk assessment. The results from the risk assessment inform the CISO and other corporate stakeholders on how to proceed in implementing a DLP program. The next step of the risk assessment stage, classification of breaches, requires CISOs to identify the type of incidents that lead to data loss. This stage also identifies which internal and external groups are most likely to trigger a data loss event. The final step for the CISO is to index which departments need to be involved as part of the DLP response plan.

After risk assessment planning, the real work begins. Implementing and monitoring, resolving challenges, DLP program sustainability, network versus endpoint choices are just some of the challenges CISOs face when keeping corporate data safe.

Join Consortium today to get access to the full Best Practices white paper. Inside, you'll see how one CISO successfully deployed a DLP solution along with the lessons he learned along the way.


Get access to the full article by becoming a member of Consortium today.


Ciso Best Practices Engaging The Board
19Jul

When board members need to understand information security, risk, and vulnerabilities, they turn to the CIO. However, it’s the CISO who typically has the most up-to-date knowledge on the information related threats and opportunities facing the organization. With the right preparation, the CISO can engage the board with a streamlined security assessment that balances the need to deliver detailed information with operational outcomes.

In this article, Michael Zanga, former CAO of the Royal Bank of Scotland, uncovers the best practices for engaging the board. These practices include: 

Addressing Budgetary Issues

The CISO needs to convey that the level of security provided is correlated to the IT security budget the board approves. At the same time, the CISO needs to inform the board that total security doesn’t exist no matter the level of the budget approved.

Measuring Security Posture

Operational risk, internal audit, technology risk, and third party assessments are all measurements the CISO needs to succinctly explain to the board.

Developing Presentation Frameworks

“Boards don’t need a monthly update,” says Zanga. Taking this tip, the CISO needs to develop a presentation framework that gives the board exactly what they need to know. Overloading the board with information only leads to confusion.

Explaining to the Board the Role of the CISO

Board members may have different expectations of what is required of the CISO on a day-to-day basis. It’s up to the CISO to explain the role through which actions are taken to continually improve security posture.

The role of CISO is too important to not operationally define to the Board.

Get access to the full article by becoming a member of Consortium today.


Ciso Best Practices Securing Big Data
28Jun

Scattered data storage and access patterns have created a scenario where enterprise information is under constant threat from internal and external actors. It’s up to the CISO to design, develop, and implement a solution that secures big data and drives business value across the organization. The CISO must also be able to justify the big data security plan to the Board and obtain critical stakeholder buy-in.

Michael Zanga, former CAO of the Royal Bank of Scotland, understands the big data strategies faced by CISOs. In this article, he shares his best practices for:

Cleaning Big Data

Data needs to be unified, tidied, and cleaned before any thoughtful analysis can begin. More importantly, practicing good data hygiene gives all stakeholders access to the data in a way that can be understood or easily explained.

Addressing Access, Control, and Validation Concerns

After cleaning data, CISOs need to use the data patterns to identify scenarios and situations that constitute a red flag.

Presenting Big Data to the Board

CISOs should present big data findings to the board in the simplest way possible. Board experts need answers and solutions to business problems - not how to become experts in the language and practices of big data.

Leveraging Big Data to Drive Business Value

The problems that big data exposes can also be turned into business opportunities. The more data that enters the system, the more value CISOs can extract.


Get access to the full article by becoming a member of Consortium today.


Ciso Best Practices Developing Communication Plan Breach
14Jun

Developing a Communication Plan for a Breach


When a breach occurs, CISOs need to have a clear communication plan in place that describes to stakeholders and managers what occurred and what steps are being taken to solve the crisis. This requires the CISO to develop both internal and external communication plans. Both documents are meant to guide the board, stakeholders, and managers on the steps they should take going forward to ensure business operations proceed without further exposing the organization to additional cyber attacks.

Michal Zanga, former CAO of the Royal Bank of Scotland (RBS), understands the need for communication planning all too well. “Our business continuity plan (BCP) never really considered how to deal with hacking,” says Zanga. “We had to learn about the need for an escalation based communication plan during a breach.”

Join Consortium to learn the best practices for developing a communications plan. Inside, you’ll learn more from Zanga’s experience in developing a communication plan, including:

Scenario Planning

Scenario planning asks the CISO to answer the question, “plan for what?” Without developing a range of likely scenarios, the communication plan can’t be developed.

Scenario Testing

Zanga explains the need and value-add of bringing in a third-party to conduct a risk assessment. Outside vendors can adequately stress the IT security environment, setting off triggers that put the communication plan into action. After the testing is done, the CISO can evaluate how well the communication plan performed.

Reporting

Daily system reports are an important supplement to communication plan building. Everything from port scanning to breach attempts need to be reported for CISOs keep the communication plan up to date. A communication plan lets organizations respond to breaches as a single, unified entity.


Get access to the full article by becoming a member of Consortium today.