ISM July-August Final

7/29/2019 ISM July-August Final

1/34

JULY/AUGUST 2013

VOL. 15 | NO. 06I N F O R M A T I O N

SECURITY

Unlock NewPathways toNetwork SecurityArchitectureConsolidation and newplatforms hold promisefor security teams.

THIRD-PARTY

RISK HORRORSTORIES?!!

IS BIG DATASECURITYEDUCATIONA BIG FAILURE?

SECURE NETWORKACCESS ANDENTERPRISEMOBILITY

THE LEGACYOF SB 1386

MOBILE SECURITYBY THE NUMBERS


2/34

2 INFORMATION SECURITY n JULY/AUGUST 2013

EDITORS NOTE


SECURITYEDUCATION

NEW PATHWAYSTO NETWORK

SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


throughout the day. In our cover story this month,virtual-

ization inrastructure guru Dave Shackleord looks at how

some organizations are starting to control trafc at dier-

ent layers o their networks and use emerging technolo-

gies that acilitate trafc capture, analysis and control.

In addition to new isolation techniques, organizations

today are looking to collapse their inrastructure through

virtualization and unifed platorms, outside o UTM,writes Shackleord. In his day job as principal consul-

tant o Voodoo Security, Shackleord already sees Fortune

100 companies replacing traditional Layer 3/4 frewalls

and IDS/IPS with next-generation frewalls and virtual

appliances.

As we look ahead at emerging technologies designed

to acilitate network security architecture in the new

world o mobility and cloud services, we also decided to

Secure Network Accessand Enterprise MobilityWe polled readers on enterprise mobile device securityand the results are in. BY KATHLEEN RICHARDS

EDITORS DESK

WE CRUNCHED THE numbers in

this months issue to get your

take on mobile device secu-

rity and noticed some tell-

ing trends. Access control has

moved to the top o many organizations security lists in

2013 as device control continues to give way to bring your

own device.The data rom our annual Enterprise Mobile Security

Survey, felded in Q2 2013, is presented in Mobile Secu-

rity by the Numbers. Thanks to the 768 IT and security

proessionals that participated in the SearchSecurity.com

survey.

Enterprise mobile securityand data loss preven-

tiongets even more un when you add the host o ser-

vices and networks that mobile devices access regularly
http://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-securityhttp://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-securityhttp://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-securityhttp://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-security


3/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


to Information Security magazine. Now CEO and chie

analyst at ZeroPoint Risk Research, Don authored thismonths eature on third-party vendor risk management

and whats required in top notch service-level agree-

ments. He tackled this timely topic as U.S. service provid-

ers, among others, worry about the global allout o Eric

Snowdens allegations against the NSA and its eects on

selling data storage and related services.

Finally, our education columnists, Doug Jacobson and

Julie A. Rursch, instructors in the electrical and computer

engineering department o Iowa State University, tell uswhybig data education is so hard. Given the void in big

data education, it should come as no surprise that the se-

curity o big data is not covered in most curriculums,

they write. Could industry partnerships help?

Enjoy the issue and let us know what you think. n

KATHLEEN RICHARDS is the features editor ofInormationSecuritymagazine. Follow her on Twitter@RichardsKath. Send

comments on this column to [email protected].

EDITORS DESK

take a look back. Ten years ago, Randy Sabett, CISSP (and

now counsel at ZwillGen), examined how to achieve com-pliance with the then-new Caliornia SB 1386 privacy law.

As Sabett explained in Information Security magazine in

June 2003:

Californias new privacy law (SB 1386), which goes into

effect July 1, requires any company that conducts busi-

ness in California and owns or licenses computerized per-

sonal data to notify California residents of any actual or

suspected security breach that compromises the security,condentiality or integrity of that information.

This issue, we invited him back to tell us whats

changed (i anything) in the last 10 years; how the Cali-

ornia privacy laws inuenced uture legislation that

requires proactive security measures to prevent data

breaches and why some states still dont oer these

protections.

Wed also like towelcome backMacDonnell Ulsch
http://searchsecurity.techtarget.com/feature/Big-data-analytics-New-patterns-emerge-for-securityhttps://twitter.com/RichardsKathmailto:[email protected]://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-thefthttp://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-thefthttp://searchsecurity.techtarget.com/feature/PING-with-Don-Ulschhttp://searchsecurity.techtarget.com/feature/PING-with-Don-Ulschhttp://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-thefthttp://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-thefthttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawmailto:[email protected]://twitter.com/RichardsKathhttp://searchsecurity.techtarget.com/feature/Big-data-analytics-New-patterns-emerge-for-security


4/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


DATA BREACH NOTIFICATION LAW

The Legacy of SB 1386A decade after becoming law, the ripple effects of Californias SB 1386have surfaced in a new breed of proactive, granular state data privacy laws. BY RANDY SABETT

WETHER OR NOTyou view the

passage o Caliornias SB 1386

data privacy lawin 2003 as a

watershed moment in the in-

ormation security world, ew

can argue that its enactment signifcantly changed the in-

osec playing feld.

Although ederal legislation had covered certain in-dustry verticals (e.g., GLBA and HIPAA/HITECH), most

activity involving broadly applicable privacy and inorma-

tion security laws has occurred at the state level. SB 1386

initiated much o this activity.

Over time, a defnite trend has emerged: reactive state

laws dealing with cybercrime have given way to proac-

tive laws requiring afrmative steps to secure inormation

systems.

REACTIVE STATE DATA PRIVACY LAWSEarly state data privacy laws criminalized various ac-

tivities that today would collectively be reerred to as

hacking. These reactive laws ocus primarily on the

hackeran elusive entity that even i apprehended could

not, in most cases, make a victim whole again. These laws

oten came into play onlyaftera breach event had oc-

curred involving the data o a particular states residents.Other than the slight deterrent eect that they might

have, the antihacking laws have done little to prevent cy-

bercrime rom occurring. Because o this, state legisla-

tures began to realize the need to ocus on other parties in

the chain o liability.

By passing SB 1386 in 2003, Caliornia became the

frst state with a data breach notifcation law. With it, not

only would the actual wrongdoer be criminally liable, but
http://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/video/Intersecting-state-and-federal-data-protection-acts-and-regulationshttp://searchsecurity.techtarget.com/magazineContent/HITECH-Act-increases-HIPAA-security-requirementshttp://searchfinancialsecurity.techtarget.com/tip/Understanding-the-impact-of-new-state-data-protection-lawshttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdfhttp://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdfhttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://searchfinancialsecurity.techtarget.com/tip/Understanding-the-impact-of-new-state-data-protection-lawshttp://searchsecurity.techtarget.com/magazineContent/HITECH-Act-increases-HIPAA-security-requirementshttp://searchsecurity.techtarget.com/video/Intersecting-state-and-federal-data-protection-acts-and-regulationshttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-law


5/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



notifcation laws as a second wave, and reasonable secu-

rity measures laws as a third wavea new ourth wave ostate inormation security laws is emerging. The laws in

this ourth wave represent an attempt by state legislatures

to pass much more granular provisions. To date, Oregon,

Massachusetts and Nevada have the most detailed re-

quirements, with Minnesota not ar behind.

In Oregon, SB 583 requires companies to implement

an inormation security program that includes adminis-

trative, physical and technical saeguards. It then speci-

fes measures or each class o saeguards deemed to be incompliance with the law.

Detailed data security regulations in Massachusetts,

201 CMR 17, took eect in March 2010 and require com-

panies to implement a comprehensive inormation secu-

rity program along with certain administrative, technical

and physical controls to protect sensitive personal inor-

mation. Highlights include retaining third-party service

providers that can implement appropriate security mea-

sures and contractually requiring such measures.The most compelling trend besides granularity is the

incorporation o commercial standards (in particular,

elements o the Payment Card Industry Data Security

Standard or PCI DSS) into state law. Two states, Ne-

vada and Minnesota, have codifed or partially codifed

the PCI DSS. In Nevada, a business that accepts payment

cards must comply with the PCI DSS. This creates a type

o sae harbor. I the entity is PCI-compliant and the

entities that allow a breach to occur also might bear some

liability. Other states soon ollowed, some with brightline legal tests or determining breach occurrence while

others have a subjective risk-based standard. Some laws

have GLBA or HIPAA sae harbors; others do not. All,

however, are still reactive, because they dont kick in un-

til a breach has already occurred. At a minimum, they

have created a negative incentive and increased the vis-

ibility o inormation security.

PROACTIVE STATE DATA PRIVACY LAWSCaliornia continued its lead role by passingAB 1950

in 2004. Unlike data breach laws, AB 1950 ocuses on

whether an entity has in place reasonable security pro-

cedures and practices. This was one o the frst o its

kind: a broad-reaching proactive data securitystatute that

places obligations on parties before a breach event has oc-

curred. (Although both HIPAA and GLBA have a similar

structure, they are limited to specifc industry verticalsand are not broadly applicable to all businesses that col-

lect or maintain sensitive personal inormation.) Many

states have now ollowed suit with similar proactive laws

that require reasonable security measures.

GRANULAR INFORMATION SECURITY LAWSI we view antihacking laws as a frst wave, data breach
http://www.leg.state.or.us/ors/646a.htmlhttp://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdfhttp://searchsecurity.techtarget.com/tutorial/Mass-201-CMR-17-Basics-for-security-practitionershttp://searchsecurity.techtarget.com/ebook/Technical-guide-on-PCI-Global-compliance-trendshttp://searchsecurity.techtarget.com/magazineContent/State-Data-Breach-Notification-Laws-Have-They-Helpedhttp://www.leginfo.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.htmlhttp://searchsecurity.techtarget.com/tip/Leveraging-database-security-investmentshttp://searchsecurity.techtarget.com/tip/Leveraging-database-security-investmentshttp://www.leginfo.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.htmlhttp://searchsecurity.techtarget.com/magazineContent/State-Data-Breach-Notification-Laws-Have-They-Helpedhttp://searchsecurity.techtarget.com/ebook/Technical-guide-on-PCI-Global-compliance-trendshttp://searchsecurity.techtarget.com/tutorial/Mass-201-CMR-17-Basics-for-security-practitionershttp://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdfhttp://www.leg.state.or.us/ors/646a.html


6/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



common ramework-based approach to compliance, us-

ing a single set o controls that cover the existing patch-work o laws. Those companies that select one o the

most stringent laws and meet its requirements may fnd

the need to update their security posture in response to

the legislative leaprogging that could occur.

Second, I believe that we will eventually see data pri-

vacy legislation become law at the ederal level, though

the broad nature o some o the bills over the past ew

years makes passage difcult. For now though, it seems

that there are too many stakeholders with varied inter-ests to get an omnibus-style bill on the books. That may

change quickly, however, should some type o drastic

event occur that gets everyone aligned. Hopeully, that

wont be the case. n

RANDY V. SABETT, J.D., CISSP, is counsel in the Washington, DCofce of ZwillGen PLLC and has more than 20 years of infosecexperience, including as an NSA cryptography engineer. He counsels

clients on information security, IT licensing and intellectualproperty. He served on the Commission on Cybersecurity for the44th Presidency and he has been recognized as a leader in privacy& data security in the 2007-2013 editions of Chambers USA. Sabettis an adjunct professor, a frequent lecturer and author, and hasappeared on or been quoted in a variety of national media sources.

breach is not caused by the gross negligence or inten-

tional misconduct o the entity, it will not be liable un-der the law or damages or a security breach.

The Minnesota law reects only one part o the PCI

DSS and, in many respects, codifes obligations already

contained in merchants contracts with the card brands.

The law orbids entities that handle credit card inor-

mation rom retaining the card security code, PIN or

contents o any track o magnetic stripe data ater the

transaction is authorized. Companies not in compliance

with the statute are liable or any raudulent transactionsthat result rom such noncompliance, as well as the costs

o replacing compromised cards.

DATA PRIVACY LAWS: WHATS NEXT?I am certainly not a prognosticator and I dont play one

on TV. Having said that, I do believe the trend o increas-

ingly proactive and granular state data privacy laws will

continue to evolve in two ways.First, states will press orward with innovative laws

that ocus on inormation security and urther refne

the obligations o the various stakeholders, specifcally

the enterprises that collect, process, and maintain data.

This may rustrate those entities that employ a somewhat


7/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


SECURITY EDUCATION

Is Big Data Security Education

a Big Failure?Big data presents big challenges for computer science programs fromclassification to cloud security. Are industry partnerships the answer?BY DOUG JACOBSON AND JULIE A. RURSCH

WHEN IT COMES to integrating in-

ormation technology trends

into the curriculums o many

universities and colleges, the

educational system has allen

behind the learning curve. This is true or big data educa-

tion, and unortunately, the IT security needed to protect

unstructured inormation.The concepts related to the handling o large amounts

o data are briey touched on in courses that ocus on

databases or algorithms. But when big data is addressed

in an algorithms class, its primarily as a justifcation or

teaching dierent sorting algorithms, essentially, order-

ing lists in big data projects.

I universities do oer classes on big data, it is o-

ten as graduate-level coursework. Despite ew computer

engineering or computer sciences classes that ocus spe-

cifcally on big data, we see the concept show up in other

courses; bio-inormatics, or example, where processing

big data is required to complete a task.

SECURITY OPTIONAL

Given the void in big data education, it should come asno surprise that the security o big data is not covered in

most curriculums. Even the newly proposed National Se-

curity Association and Department o Homeland Security

ocus areas or the National Centers o Academic Excel-

lence list big data security as an optional knowledge unit

in three content areas.

Security o big data is important, but it is difcult

to teach or many reasonsthe terminology, current
http://www.news.iastate.edu/news/2012/10/03/bigdatahttp://www.nsa.gov/ia/academic_outreach/nat_cae/http://www.nsa.gov/ia/academic_outreach/nat_cae/http://www.nsa.gov/academia/nat_cae_cyber_ops/nat_cae_co_requirements.shtmlhttp://www.nsa.gov/academia/nat_cae_cyber_ops/nat_cae_co_requirements.shtmlhttp://www.nsa.gov/academia/nat_cae_cyber_ops/nat_cae_co_requirements.shtmlhttp://www.nsa.gov/ia/academic_outreach/nat_cae/http://www.nsa.gov/ia/academic_outreach/nat_cae/http://www.news.iastate.edu/news/2012/10/03/bigdata


8/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


SECURITY EDUCATION

attempted or have succeeded. In todays world, we hear

lamentations o how large log fles grow and how difcultit is to separate the useul data rom the noise, even with

the help o a vendors product. In the world o big data,

the complexity o security and monitoring systems only

grows exponentially.

Although, many actors complicate big data security,

one fnal issue we want to note is that big data oten lives

in the cloud. Thereore, the discussions about security

methods or big data include cloud security. Neither o

these topics is mature and organizations taking security

measures will need to consider how these measures will

work with cloud data.

From the educational prospective, we believe that

teaching big data security starts with the undamentals

o data security that are taught in all security programs.

There is no stronger oundation or big data security dis-

cussions than a deep and broad understanding o security

concepts; however, the additional complexities that big

security and monitoring systems, physical inrastruc-

tureand thats just or starters. First and oremost, it ishard to classiy what is meant by the term big data. It

implies incomplete knowledge o what data points may

be in the storage set and trying to secure that which is un-

known is difcult. Think about data loss prevention; its

difcult, i not impossible, to tell i sensitive data is leav-

ing the acility when the data isnt enumerated.

Were not teaching big data security. But in our de-

ense, how can we secure something that is hard to clas-

siy? Furthermore, how can we teach others how tosecure it? The new classifcation o big data presents a

basic problem that needs resolution beore we provide

solutions.

NEW SECURITY METHODSDoes the new classifcation o big datamean new security

methods are warranted or can we use methods that cur-

rently are deployed, only on a larger scale? In the case o

big data, we argue that the size and complexity requires

more than just scaling current data security methods.

I we can get beyond the terminology and lack o

knowledge, we need to rethink the implementation o

security and monitoring systems in big data situations.

In current security and monitoring systems, writing to

and reviewing log fles is the primary technique used to

capture events and indicate when security breaches are

Were not teaching big data security.But in our defense, how can wesecure something that is hard toclassify? How can we teach othersto secure it?
http://searchsecurity.techtarget.com/answer/What-is-big-data-Understanding-big-data-security-issueshttp://searchsecurity.techtarget.com/answer/What-is-big-data-Understanding-big-data-security-issues


9/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


SECURITY EDUCATION

we, as educators, need to be innovative in combining

cloud and big data security concepts and encouraging ourstudents to think about these topics.

So, what can we realistically hope to accomplish in

the area o big data security education? We would hope

that as educators we can help our students learn the un-

damentals needed to adapt to ever changing threats and

technologies. While today the current topics are big data

and cloud security, tomorrows topics are unknown. As

educators we are bound to include the most current secu-

rity topics and issues such as big data and cloud securityor our students. However, we must also strive to educate

our students so they can adapt to changes once they leave

our hallowed halls. n

DOUG JACOBSON is a professor in the department of electricaland computer engineering at Iowa State University and director ofthe Information Assurance Center, which was one of the originalseven NSA-certied centers of academic excellence in information

assurance education.

JULIE A. RURSCH is a lecturer in the department of electrical andcomputer engineering at Iowa State University and director of theIowa State University Information Systems Security Laboratory,which provides security training, testing and outreach to supportbusiness and industry.

data adds to the problem o security need to be included

in the curriculum.While we believe the best way or students to learn

is through laboratory experiments or simulations, devel-

oping big data security exercises may prove more dif-

cult than traditional security exercises. I we argue that a

defnition o big data could be developed and universally

accepted, we still see obstacles to overcome. Currently,

students work with intrusion detection and data loss

prevention, but not in a big data environment. And, we

have ound, they really arent prepared to handle themassive amount o data that pours in rom security de-

vices, network monitoring and data loss monitors. Lab-

oratory experiments have to be careully crated to not

overwhelm students, but also provide the look and eel

o big data.

NO MEANINGFUL DATAUnortunately, access to realistic and meaningul data

is difcult in higher education. We cannot have access

to real big data because, in many cases, it is private. We

need to develop example data sets o big data in which

the data types match dierent industries. This is a perect

place or academia to partner with vertical industries or

industry trade groups to develop these data sources. And,
http://searchsecurity.techtarget.com/feature/Managing-big-data-privacy-concerns-Tactics-for-proactive-enterpriseshttp://searchsecurity.techtarget.com/feature/Managing-big-data-privacy-concerns-Tactics-for-proactive-enterprises


10/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


COVER STORY: NETWORK SECURITY ARCHITECTURE

By Dave Shackleford

NEW PATHWAYSTO NETWORKSECURITYWant to shed appliances?Consolidation and new

platforms hold promisefor security teams.

IN AN INTERESTING paradox, enterprise networks have ex-

perienced unprecedented sprawl and signifcant consoli-

dation over the past 10 years. With new technology and

application use at an all-time high, security teams re-quire dierent ways to isolate, monitor and control trafc

within their data centers and extended networks.

What network isolation and segmentation techniques

are many companies now considering? How can consoli-

dation and collapse o eature sets into unifed platorms,

and more condensed network security architecture at the

perimeter secure sensitive data and corporate assets?

While security isnt the primary driver o major net-

work architecture overhauls, new threats are leading

more organizations to re-architect portions o their net-

works. For some large organizations, the continued rise o

devastating distributed denial-o-service (DDoS) attacks,

embedded HTTPS control channels, and sophisticated

malware may necessitate a redesign ocused on network

security architecture.

Business growth or operational changes can also in-

crease the need to reresh network security architecture.


11/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



touted as a way to help security proessionals imple-

ment access controls and trafc fltering, packet cap-ture and monitoring, and isolation o trafc at Layers 2

and above. In March, Microsot Principal Network Ar-

chitect Rich Groves gave a talkdescribing the compa-

nys use o the OpenFlow specifcation and commodity

switch hardware to send large quantities o packet data

to network monitoring devices (Figure 1). This same

technique can easily be used to quarantine and isolate

packets with specifc attributes, potentially helping de-

eat DDoS and other attacks.

n Layer 2 isolation: While the use o virtual LANs

(VLANs) to segment broadcast domains in a network

is not new, more organizations are strategically using

VLANs and private VLANs as a segmentation strategy

or sensitive domains. Many newer switches, including

Cisco Systems Nexus series and Juniper Networks EX

devices, can also accommodate VLAN access control

lists that allow or fltering based on MAC addresses

and orwarding and capture o packets.

n Isolation at virtual network layers: The use o virtual

frewall appliances and newer virtual switches such as

the Cisco Nexus 1000v, Juniper vGW line, and Open

vSwitch is starting to emerge within converged inra-

structure clusters as a sound isolation and segmenta-

tion practice. While most organizations arent replacing

These design changes are oten coupled with equipment

upgrades and replacement scenarios.For many enterprises, compliance is the major driver

or changes in both security and general IT operations.

Any technology or internal design change that can limit

or reduce the scope o the environment or compliance

can save money and time, in years to come. Isolation o

systems, applications and network segments that handle

payment card data, or example, can go a long way to lim-

iting the scope o PCI DSS audits.

ISOLATION AND SEGMENTATION TECHNIQUESRegardless o motivation, new considerations are driving

the way networks are designed. In the past, many orga-

nizations used a traditional single or dual-frewall archi-

tecture that divided networks into segments at Layers

3 and 4, limiting IP address ranges and TCP/UDP ports

that could traverse one segment or another. While this

network security architecture is still the most common,

more organizations are starting to control trafc at dier-

ent layers and use emerging technologies that acilitate

trafc capture, analysis and control.

n Software-defined networking for monitoring and

isolation: SDN is an emerging technology that imple-

ments network control through sotware and script-

ing in switches and centralized controllers. Its heavily
http://searchsdn.techtarget.com/news/2240181908/Microsoft-uses-OpenFlow-SDN-for-network-monitoring-and-analysishttps://www.opennetworking.org/sdn-resources/onf-specifications/openflowhttps://www.opennetworking.org/sdn-resources/onf-specifications/openflowhttp://searchsdn.techtarget.com/news/2240181908/Microsoft-uses-OpenFlow-SDN-for-network-monitoring-and-analysis


12/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



n Use of load balancers and content switches to

isolate traffic: A majority o the trafc in enterprisestoday is HTTP, HTTPS or other application trafc.

Load balancers and content switches are oten used to

provide availability and control or application trafc,

but security teams can beneft rom these technologies

existing hardware-based security platorms with vir-

tual systems, the use o virtual trafc control and moni-toring systems is growing as a new layer o deense.

Some o these systems oer capabilities that their

hardware-based counterparts cannot (see tip onvirtual

networking).

[FIGURE 1 ]

Microsoft is usingsoftware-defined networking

based on the OpenFlowprotocol for traffic isolation

and aggregation in itscloud.

(SOURCE: WWW.OPENFLOW.ORG)
http://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-productshttp://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-productshttp://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-productshttp://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-products


13/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



advantage o these eatures as application trafc grows.

Using application-layer packet attributes to direct andcontrol trafc can help organizations isolate more sen-

sitive or critical trafc, and identiy malware command

control channels using HTTP/HTTPS.

n Internal VPNs and private cloud gateways: Several

organizations have employed internal virtual private

network (VPN) platorms to segment their networks.

SSL VPNs can be easily set up and confgured to act as

a gateway to one or more segments o the environment,providing more robust authentication requirements,

endpoint inspection capabilities, and integration with

virtual desktop technologies. For organizations with

private cloud deployments, new cloud edge gateways

such as VMwares vShield Edge or Junipers vGW can

be installed to provide controlled access. Technologies

such as VMwares VXLAN allow migration and control

o Layer 2 trafc across Layer 3 data center and cluster

boundaries, which aords more exibility to distrib-

uted virtual and cloud environments.

UNIFIED PLATFORMS ANDCOLLAPSED ARCHITECTUREIn addition to new isolation techniques and controls, or-

ganizations today are generally looking to collapse their

inrastructure a bit more. The security community is

as well. While many leading manuacturers have o-

ered security options in these products or some time(including port mirroring, scripting capabilities and

DDoS deenses), security teams are starting to take

Sizing Up UnifiedSecurity PlatformsSMALL- AND MEDIUM-SIZED businesses have adopteduniversal threat management devices more than

enterprises. Trends that stuck for defense in

depth are prevalent in many large organizations

networks:

n Multiple tiers of security access control/

filtering devices

n Different vendors (in some cases)

n Separation of functionality

Today, organizations are looking to collapse func-

tionality into bigger, more capable platforms.

Next-generation firewalls are starting to replace

traditional Layer 3/4 firewalls and IDS/IPS at some

Fortune 100 companies. n


14/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



applications. These segments oten include the primary

ingress points rom the Internet, segments where a VPNconnection terminates, and any exposed DMZ subnets,

along with internal zones that need protection.

So whats changing? Some Fortune 100 companies are

replacing frewalls with next-generation frewall (NGFW)

platorms. These systems oer more application and tra-

fc behavior inspection along with new capabilities, such

as user tracking rom internal directory services and

more robust protocol inspection. This strategy starts to

approach the UTM concept, but with more capable andhigh-perorming platorms.

Another major shit is the gradual consolidation o

IDS/IPS platorms with next-generation devices and tech-

nologies. While a good number o organizations are still

proponents o separate IDS/IPS, some companies are see-

ing benefts in using the NGFW platorms to handle both

frewall and IPS unctionality. As long as the perormance

o the network is not impacted with a s ingle device han-

dling so many security unctions, this approach may make

sense or some companies.

PLANNED UPGRADES AND SMALLER ZONESHow should security and network teams proceed? First,

align any network security architecture and monitoring

changes with planned upgrades or changes whenever pos-

sible. I new or updated technology is already slated or

actively using converged security appliances (oten called

universal threat management, or UTM systems) that oera combination o services like antimalware deense, an-

tispam and mail protection, content fltering, traditional

Layer 3 and 4 frewall rules and even VPN and proxy ca-

pabilities, in some cases.

While these systems have steadily become prevalent

and more mature, the technology is more viable or small

to mid-sized businesses. Many enterprises are not sold

on the technology, because it represents a single point o

ailure. It doesnt support the scalability or perormancerequired in large, ast (10 Gbps+) network environments.

While this still holds true, many companies are looking

to reduce the number o security layers within their net-

works and add enhanced unctionality that may prove

more eective at combating modern threats.

Over the last 10-15 years, many organizations ollowed

popular trends in network security architecture, start-

ing with the adoption o multiple layers o security trafc

control points, such as frewalls. Some enterprises have

even used technology rom dierent vendors at each layer

to prevent a single point o ailure. This strategy may o-

er a multi-layered approach to network security, but it

results in much higher implementation and operations

costs, as well as overhead to manage these platorms.

Many enterprises use dedicated intrusion detection

and prevention systems (IDS/IPS) to secure heavily used

network segments and those that house sensitive data and
http://searchsecurity.techtarget.com/magazineContent/Unified-threat-management-devices-for-the-enterprisehttp://searchsecurity.techtarget.com/magazineContent/Unified-threat-management-devices-for-the-enterprise


15/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



NGFWs can either augment or potentially replace ex-

isting frewalls and IPS platorms.

Another ocal area or network and security manag-

ers is built on the concept o compartmentalization o

network segments. With any redesign eorts, security

teams should attempt to segment sensitive data, trafc

and systems into more careully controlled areas. While

the concept o DMZs and network segmentation is not

new, building more, smaller zones may make sense with a

combination o VLANs, Layer 3 access controls and evenapplication-level trafc monitoring and control. With

advanced frewalls and new virtual platorms, this net-

work security architecture is much easier to accomplish.

NGFW systems and virtual appliances can help network

and security teams lower costs, i they are replacing mul-

tiple platorm types.

With new network technology and the availability o

advanced security platorms, the design and architecture

o many networks is likely to continue to change rapidly,

in some cases, collapsing inrastructure with virtualiza-

tion and cloud deployments. n

DAVE SHACKLEFORD is owner and principal consultant atVoodoo Security, senior vice president of research and CTO atIANS, and a SANS analyst, instructor and course author. He isa VMware vExpert and has extensive experience designing andconguring secure virtualized infrastructures.

purchase and implementation, investigate the access con-

trol, fltering and monitoring eatures built into these sys-tems, regardless o vendor. I vendor selection and design

phases have not been completed, suggest looking at tech-

nologies and designs that allow or the ollowing:

n Access controls and monitoring at Layers 2 and

above: Instead o a consolidated frewall design,

switches and other network devices may play more im-

portant roles in controlling and monitoring trafc, es-

pecially in widely distributed networks.

n Integration with SDN protocols such as OpenFlow

and sFlow: While many organizations may not be ready

to make the switch to SDN just yet, preparing or it by

purchasing equipment that allows or programmable

unctions and trafc control to be implemented is a

sound idea.

n Integration with virtualization and private cloud

technologies from VMware, Microsoft, Citrix and oth-

ers: Virtual appliance models with security technology

are becoming available rom numerous vendors. These

systems can complement existing capabilities and net-

work designs, especially in environments with virtual

systems or a private cloud.

n Application and protocol inspection: New types o
http://www.sflow.org/http://www.sflow.org/


16/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


CYBERATTACKS LEAP FROM the headlines almost daily, yet

senior management at some companies still believe their

organizations are not potential targets: Nobody knows

who we are, why would anyone want to attack us?One consistent breach fnding may get their attention:

Almost without exception, a third-party vendor or afli-

ate is involved. It may be the client, or it may be the origi-

nation point o the breach.

The third party is oten a quasi-insider, enjoying some

degree o the trust aorded employees. Based on a rela-

tionships longevity and personal interactions, third-party

trust levels sometimes meet or exceed the level o insider

trust.

Unortunately, the conveyance o trust does not al-

ways end well. This is why third-party management and

service-level agreements (SLA) are so critical in the man-

agement o risk. SLAs are negotiable instruments that re-

ect the companys appetite or tolerance or risk; its size

and complexity, geographic distribution, type o inorma-

tion managed, as well as the ability to eectively monitor

the third-party management program.By MacDonnell Ulsch

THIRD-PARTYRISK HORRORSTORIES?!!The majority of breaches occuras the result of third parties.

MacDonnell Ulsch advisescompanies to safeguardthird-party agreements.

VENDOR RISK MANAGEMENT
http://www.computerweekly.com/news/2240178104/Bad-outsourcing-decisions-cause-63-of-data-breacheshttp://www.computerweekly.com/news/2240178104/Bad-outsourcing-decisions-cause-63-of-data-breaches


17/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


insurance premiums and civil litigation rom investors,

shareholders, business partners and others (see Negative

Outcomes: Third-Party Risk ManagementFigure 1).

Heads may roll in the executive suite. Criminal prosecu-

tions oten result. (Immunity in a breach is as scarce as

hieroglyphics.)

The worst risk impact occurs when companies are

clearly not ready or a breach, which is too oten the case.

ALREADY MADE IN CHINA

When it comes to managing risk, no company is perect;usually, its ar rom it. In the well-known case o Nortel

Networks Inc., the optical networking companys com-

puter systems and senior managements emails includ-

ing the CEOswere compromised by Chinese hackers,

or nearly a decade. An employee said he alerted Nortels

executives that there was a breach in 2004, according

to The Wall Street Journal, but outside o changing pass-

words, his warnings were largely ignored. This ongoing

breach resulted in costly and complex litigation duringNortels asset sale ater it declared bankruptcy in 2009.

Companies that acquired Nortels intellectual property

Ciena Corp., Avaya Inc. and Ericsson Inc.ound out

that their organizations might not have exclusive rights

to the sensitive inormation.

Avoiding the oten substantial impact o legal, fnan-

cial, regulatory and reputation risk isnt trivial. In the best

scenario, managing risk is supposed to prevent bad things

rom happening. The next best outcome is to reduce the

impact when a collision o a threat and its intended tar-

get prove unavoidable. In the worst case, managing risk

is about recovering rom an event that proved to be, or

whatever reason, both unpreventable and highly eec-

tive, translation: expensive.

Risk impact can be defned by a variety o metrics: loss

o revenue, loss o company value, diminished market

share and brand equity, increased cost o capital, higher


[ FIGURE 1 ]

Negative Outcomes: Third-Party Risk Management

(SOURCE: ZEROPOINT RISK RESEARCH LLC)

RISK

RegulatoryRisk

LegalRisk

FinancialRisk

ReputationRisk

CascadingRisk

IMPACT

Regulatory Impairment, Regulatory Fines,Increased Government Scrutiny,

Rigorous Remediation, Litigation Foundation

Civil Litigation, Criminal Prosecution,Class Actions, Jury Awards, Settlements

Value Loss, Investor Loss, Customer Loss,Capital Cost Increases

Press and Media Exposure, Market Drift,Competitor Positioning

Market Loss, Recovery Continuation,Sustainability Questions
http://online.wsj.com/article/SB10001424052970203363504577187502201577054.htmlhttp://online.wsj.com/article/SB10001424052970203363504577187502201577054.html


18/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



are also noted in the fnal rule, as well as enorcement

and penalty provisions. The Genetic Inormation Nondis-crimination Act prohibits health plans rom using genetic

inormation as an underwriting consideration. Multiple

privacy issues are also noted in the fnal rule, especially

on the use and disclosure o protected health inorma-

tion, including the uses associated with marketing and

undraising. (Similarly, recent changes in the European

Union Model Clause aect E.U. companies exporting

data overseas, as well as the third-party data importers.)

Contract negotiators, attorneys and others with expe-

rience managing the SLA process address certain issues

reasonably well: perormance-related requirements, and

even some regulatory requirements. Companies can ur-

ther protect their inormation assets by ensuring that the

ollowing components are included in the negotiation

o all third-party management agreements: inormation

security, inormation privacy, threat and risk analysis,

compliance obligation range, enorcement mechanisms,

internal audit access and disclosure requirements, and

The majority o breaches occur as the result o the actions

or deensive defciencies associated with a third-party ser-vice provider. One third-party vendors defcient antimal-

ware deployment resulted in a massive cyberattack. The

impact: extensive, costly regulatory reporting and uncom-

ortable discussions and negotiations with its corporate

customer base. The breach was detected when an em-

ployee noticed suspicious frewall log activity. The hack-

ers, however, had covered their infltration by erasing the

majority o their intrusive activities, making the breach

even worse and complicating the orensic analysis.

COMPLIANCE AND THIRD-PARTYMANAGEMENT AGREEMENTSThird-party management agreements are important in-

struments in managing legal, regulatory, fnancial and

reputation risk. These contracts, also known as Business

Associate Agreements (BAA), are neglected tools or de-

ending against inormation compromise.

Any company protecting health inormation, or ex-

ample, needs to pay particular attention to the changes

brought about by the HIPAA Omnibus Final Rule, which

was passed in January 2013 and went into eect in

March. A number o deadlines or compliance are set or

September 23, 2013. Changes include requirements or

business associates and subcontractors to comply with

the complex security rule. Breach notifcation changes

Business Associate Agreementsare neglected tools for defending

against information compromise.
http://www.genome.gov/24519851http://www.genome.gov/24519851http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdfhttp://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdfhttp://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://www.genome.gov/24519851http://www.genome.gov/24519851


19/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



identities and acquired cell phone numbers, addresses,

social security numbers and so on. On paper, the em-ployees certainly seemed like real peopleeach one

passed a background inormation check. An address in

the background check orms seemed out o place, but

that didnt prevent them rom getting hired. Personally

identiying inormation (PII) was stolen in this scam and

sold to organized crime and narcotics trafckers in a or-

eign country, resulting in fnancial raud. The breach was

oreign corrupt practices management (Figure 2). Focus-

ing on these seven elements will increase the efciencyand eectiveness o third-party management agreements

while creating an eective risk management ramework.

Third-party management agreements may not be

enough to protect organizations rom elaborate cyber-

raud, however. In one occurrence, the third-party ven-

dor hired independent contractor employees who did not

exist. Well, one did. Ingeniously, this individual invented

[ FIGURE 2 ]

Successful negotiation of third-party management agreements is built around seven elements.


Information Security

Agreement

Information Privacy

Agreement

Specific Threats and

Risks Defined

Foreign Corrupt

Practices Management

Audit and Monitoring

Terms AgreementEnforcement Mechanisms

Compliance Requirements

Range


20/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



ASSETS AT RISK

It is not always discernible what inormation is at riskin a cyberbreach, especially right away. One third-party

vendor responded to a breach based on an assumption

that the organization did not possess any regulated data,

when in act, it did. What the company thought was just

a matter o tightening security in the initial stages o the

breach, evolved into a serious reportable event.

Every third-party provider should know what data

is in its possession. This is an absolutely critical deter-

minant o how that data must be protected. While ewmandates exist regarding the protection o intellectual

property and trade secret assetsthis is typically limited

to contractual obligations cited in customer contracts and

insurers policies personal inormation must be pro-

tected according to statute and regulation.

Many breaches o regulated data are never reported,

however. Sometimes, a decision is reached not to report

on the basis that the breach did not meet certain require-

mentsthe exact defnition o PII or protected health

inormation (PHI). A breach that isnt reportable in the

United States may be disclosed in other countries based

on dierent regulations.

Managing risk by regulation has signifcant draw-

backs, yet many companies continue to do just that.

Heres the problem. Many regulations are written upon

the back o mandatory minimum requirements. While its

detected due to suspicious behaviors exhibited by the in-

dependent contractor behind the elony crime.

RESPONSIBILITY AND REPORTINGIt is important to remember that the principal company

or covered entity that engages a third party is always re-

sponsible or ensuring the integrity o inormation. While

various regulations may also hold third-parties account-

able, never assume that the obligation o compliance is

assignable to another company. When negotiating anSLA, the company must require the third-party service

provider to both assume responsibility or compliance

with all applicable regulations, and to speciy the time-

rame in which to report a breach to the company. This

can get tricky, and the contract language is important. Al-

ways coner with corporate legal counsel on this issue.

First, be sure to defne what a breach is. An incident

or event is not necessarily a breach o regulation. Is the

event a breach o policy and procedure, security or regu-

lation? Some contracts require the third party to notiy

the principal company o a security policy breach within

24 hours o the incident. Maintaining tight control over

the reporting requirements o the third party under

agreement is vital. It is also recommended that the com-

pany pre-emptively engage the third party by asking, in

writing, about any security incidents at the third party,

and receive a response in writing. (Continued on page 22)


21/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



Inside Jobs

INSIDER THREATS CAN take advantage of high trust levels to hatch elaborate schemes. A group of employees working

for a large U.S. technology company decided to use their employers technology assets for personal gain. They had

access to desktop and laptop computers that were coming off lease, being sold or otherwise recycled. These units

were stockpiled in unused offices, unsecured rooms and even in hallways.

The employees signed into the data center using these machines and built their own data management network,

underneath the raised floor of the corporate data center. They started competing for external business with their

employer. This crime went undetected for about a year.

It was eventually detected, but not because of all the technology companys monitoring hardware and software. A

security guard outside of the data center figured it out. The guard noticed that these workers consistently checked

into the data center when everyone else was logging outat the end of the day and on weekends. He became

suspicious.

Its worth noting that many employees who get caught committing fraud against the company are not criminally or

even civilly prosecuted. Prosecutions result in a public recordand negative publicity. Which brings up the issue of

background investigations: Many people who engage in illegal actions get terminated and soon apply for other jobs

in the industry. Meaningful background investigations are woefully absent, and $49 background checks are often

inadequate.

Theres a reason that a top secret security clearance can take two years to complete. In 2012, according to

The Washington Post, about 500,000 private contractors had federal clearance for handling top-secret materials

at some level. n
http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/11/about-500000-private-contractors-have-access-to-top-secret-information/http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/11/about-500000-private-contractors-have-access-to-top-secret-information/


22/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



and trade secrets o value, bearing in mind that this ap-

proach, while better than nothing, is a minimum basedupon regulatory requirements.

What do all o these breached companies have in

commonand especially third parties? It isnt the type

o inormation that was exposedPII, PHI, intellectual

property and trade secrets. Its that these organizations

didnt manage risk eectively, rom their defnitions o

risk management to communication gaps between IT and

executive management and the board. (The urther they

are rom the point o the breach, the less they understandthe breach and its impact.)

SPEND NOW OR LATERMany companies would rather spend on recovery and re-

mediation than on prevention through risk management

and optimization o SLAs. (That may not be what statis-

tics indicate, but thats what we see.) For one thing, ater

a breach, budget immediately materializes. The message

rom executive management is usually this: Fix this and

then do what you need to do to keep this rom happen-

ing again. Sometimes, the company embraces a more

strategic risk management solution in the atermath o a

breach. Other times, though, the ocus is very tactical and

concentrated on IT security fxes in the absence o a real

risk management approach.

better than nothing (and there are those companies thatail to meet even these basic requirements), its not where

the industry needs to be. This practice is unacceptable in

other industries. No one wants a pilot whos met only the

minimum regulatory threshold.

BASELINE FOR PROPRIETARY INFORMATIONO course, not all companies or third parties are in the

business o managing regulated inormation. Whatabout managing the risk associated with unregulated

dataproprietary inormation, intellectual property

and trade secrets? In a world where brand counts, pro-

tecting the brand is ensuring a companys uture. Brand

protection is critical because the mission o nation-state

espionage and commercial economic and technology

competitors is to steal valuable business inormation.

The fnancial loss is staggering, with some estimates sur-

passing a trillion dollars a year, and about a third o those

losses are in the United States (Figure 3).

One third-party management strategy is to borrow

rom the requirements used in regulated data manage-

ment deployments. Most companies, whether large or

small, are required to at least protect employee and cus-

tomer inormation in a manner consistent with U.S. ed-

eral and state requirements. Require third parties to use

that baseline to extend protection to intellectual property

(Continued from page 20)

(Continued on page 24)
http://www.economicespionage.com/StickyFingers.htmhttp://www.economicespionage.com/StickyFingers.htm


23/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



[ FIGURE 3 ]Financial losses caused by insider and third-party threats resulting in breaches of intellectual property

and trade secrets are estimated at more than $1 trillion worldwide.


E

mployees

Partners

Vendors

Contractors

Regulation

Litigation

Technology

Culture

Economy

Climate

Malice

Information

Integrity

Mistake

Terrorists

FinancialRisk

Exposure

ReputationRisk

Exposure

U.S.: More than 500 Million PIIElectronic Records Compromised/

$1T+ Year IP/TS Stolen

LegalRisk

Exposure

RegulatoryRisk

Exposure

Drug Cartels

Organized Crime

Employees

Governments

ENVIRONMENTA

LCHANGE

INSIDER AND THIRD-PARTY THREAT

EXTERNALTHREAT


24/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



One o our outside service providers employees had

some o our client data on an iPad that was stolen, andnow it looks like were going to have to report this event

to regulators in 40 countries. I hate to think what the im-

pact o this is going to be.

Board member: Tell me more about this.

Think about the relationship o security to the man-

agement o risk. Risk is a potential condition o concern

to many people in the organization. Many executives

that will be responsive to the language o risk are not re-

sponsive to the language o technology and inormationsecurity. Chie executives, chie risk ofcers (which are

oten chie fnancial ofcers), internal legal counsel, in-

ternal auditors, privacy ofcers and compliance ofcers

have an interest in managing risk and are usually respon-

sive. Also, employees with a vested interest in the compa-

nys reputation, including sales and marketing, are oten

responsive. Conveying the risk message appropriately,

though, is necessary to get anyones attention.

Speaking technology and security will secure the job.

Speaking risk will secure budget and your uture. n

MACDONNELL ULSCH is the CEO and chief analyst atZeroPointRisk Research LLC, in Boston, Mass., and advises commercialand government clients. He wrote THREAT! Managing Risk in aHostile World. The working title of his upcoming book is CYBERSABRES: Deending the Future Against Enemies Near and Far.

Regardless o whether the breach originated at a thirdparty or at the principal company, a key determinant in

the post-breach report is whos in charge o the breach

investigation. When executive management, especially

the general counsel and the board are involved, theres

a greater likelihood that a more eective risk manage-

ment program will result. But not always: by the time

many companies fnish paying the bills associated with a

breach, theyre sometimes seeking fscal restraint and re-

covering rom the fnancial cost o the breach. This otenleads to, Lets try and do the rest o this mitigation in-

house. Thats usually a mistake, depending on individ-

ual breach circumstances, and the cooperativeness o any

third-party vendor involved.

ENTERPRISE TOWERS OF BABELAs much as anything, managing risk is about eective

communication.

Take the CISO who happens to ride in an elevator

with a member o the board o directors: Weve got a

BYOD issue that led to a BAA inosec incident.

Board member thinks Why cant this elevator move

aster?

Speak the language o business and risk. This sounds

simplistic, but what i the CISO said:

(Continued from page 22)
http://www.zeropointrisk.com/http://www.zeropointrisk.com/http://www.zeropointrisk.com/http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208http://www.zeropointrisk.com/http://www.zeropointrisk.com/


25/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


MOBILESECURITY BYTHE NUMBERSAlmost 60% of securityprofessionals in our 2013

Enterprise Mobile Security Surveybelieve mobile devices presentmore risk now than in 2012.Whats changed?

By Kathleen Richards

ENTERPRISE MOBILITY SURVEY

SEARCHSECURITY.COM POLLED 768 IT and security proes-

sionals in April 2013 and the data clearly indicates that

the challenges o securing a multi-device environmentcontinue to mount. While shiting IT assets outside o the

frewall can help companies to lower costs, roughly 60%

o the Enterprise Mobile Security Survey 2013 respon-

dents believe mobile devices present more risk to their

organizations compared to Q2 2012.

About 30% o respondents do not see higher risk,

while 13% said they dont know.

The consumerization o IT isnt slowing down as more

employees use personally-owned devices to access corpo-

rate data and applications. But a surprising fnding in our

2013 survey was how many companies no longer even is-

sued mobile devices outside o traditional laptop comput-

ers, sliding rom 83% in our Enterprise Mobile Security

Survey 2012 to 65% (Figure 1).

Despite growing concerns over mobile security, only

60% o respondents indicated that their organization re-

quired security technologies on mobile devices. In the
http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012


26/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!


capabilities (14%). Perhaps, more alarming is the 40% o

organizations, according to those surveyed that dont re-quire use o security technologies on mobile devices.

The challenges o taming multi-device environments

are quickly becoming the norm, however. About hal o

survey respondents (49%) indicated that their organiza-

tions applied unique security policies and controls or

each mobile platorm, with Apple iOS and Google An-

droid topping the list o mobile platorms supported on

non-company issued devices (Figure 2). Less than hal

group that did, the security initiatives ranked as ollows:

access control (67%), authentication (57%), encryption(53%), remote wipe (44%), antimalware (44%), PIN

enorcement (42%), remote lock (39%), Microsot

ActiveSync (38%), remote access VPN (37%), mobile

device management (36%), policy confguration and en-

orcement (34%), application control (30%), app store

restrictions (29%), remote sotware distribution (23%),

blacklist capabilities/data containment (23%), jail-

break detection (21%), GPS tracking (19%) and whitelist


6+3s

[ FIGURE 1 ]

Does your organization supply employeeswith mobile devices (excluding traditional

laptop computers)?

[ FIGURE 2 ]

For non-company-issued devices, whatmobile platforms does your company support?

(Check all that apply.)

79%

62%

54%

Apple iOS

Goodle Adroid

BlackBerry/RIM

Windows Mobile

35%No 65%Yes 84%
http://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforcehttp://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforcehttp://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforcehttp://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforcehttp://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforce


27/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



APP SECURITY BETTER THAN DESKTOP

What types o applications do employees access via per-sonally-owned mobile devices? According to survey re-

spondents, 79% use personal email, instant messaging

and chat applications; 68% use Web browser and produc-

tivity applications, such as Microsot Ofce; 59% access

social media; 49% access the corporate intranet and 41%

use corporate applications.

Securing the application layer has received a lot o at-

tention in 2013 as more mobile application management

systems and related technologies emerge. Problems per-sist with device data leakage, including apps that request

too many permissions (e.g., access to contacts) or hook

into other areas on the device. Hal o survey respondents

indicated that their company is putting more resources

money and sta hoursinto mobile application secu-

rity in 2013, compared to Q2 2012. But almost one-third

(29%) o organizations do not have plans to put more re-

sources towards mobile app security, and one-fth didnt

know. These developments coincided with the height-

ened ocus on mobile app security and operating systems

in April, as Facebook blurred the lines when it rolled out

its new apperating system, Facebook Home (built on

the Google Android OS).

So whats changed? In our 2012 survey, the top fve

mobile security concerns ranked as ollows: device loss,

application security, device data leakage, malware at-

tacks and device thet. This year device data leakage

(43%) o those surveyed did not have dierent security

policies based on mobile operating systems.At the same time, 43% o organizations required

employees to sign a consent document that grants the

employer at least limited control over any personally-

owned device that accesses corporate systems or data,

while 57% did not have any such policy. Hal o the re-

spondents said that their employers allow non-company

mobile devices to access the corporate network and data

(Figure 3).

5+48s[ FIGURE 3 ]Does your employer allow non-company-issuedmobile devices to access the corporatenetwork and data?

50%

Yes

42%

No8%

Dontknow
https://bg-bg.facebook.com/homehttps://bg-bg.facebook.com/home


28/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



fthwhen respondents were asked to select their orga-

nizations top three mobile security concernsas shownin Figure 4.

ranked frst (45%), ollowed by unauthorized access

(41%), device loss/thet (40%), application security (38%)and compliance and malware attacks (28%) tied or

[ FIGURE 4 ]

What are the top three mobile security fears at your organization? (Select three.)

Device data leakage

Unauthorized access

Device loss/theft

Application security

Compliance

Malware attacks against devices

Liability over data on personal devices

Unauthorized or unmanaged mobile access to network resources

Vulnerable third-party applications

Platform-specific vulnerabilities

Unauthorized or unmanaged mobile app downloads

Location tracking

Other

45%

41%

40%

38%

28%

28%

17%

15%

11%

8%

6%

3%

4%


29/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



2% o the organizations, and 6% o respondents indicated

that they dont know. (See Figure 5 or types o data ac-cess on personally-owned devices).

Data loss continues to rank as the top threat in enter-

prise mobile security on all sides with device data leakage

and device loss and thet, among the common problems.

O particular concern or many companies is how data is

handled when users switch phones or leave the organi-

zation. Despite these security threats, backups on non-

company issued devices at the majority o organizations

Not surprisingly, mobile identity and access manage-

ment is high on the list o enterprise mobile security con-cerns, even though vendors o classic identity and access

management systems are attempting to extend the unc-

tionality. According to this years survey, all the employ-

ees at 28% o the organizations have access to corporate

network/data resources such as email, applications or

customer data; more than hal o the employees have ac-

cess at 29% o the organizations; and less than hal have

access at 35% o the organizations. None have access at

[ FIGURE 5 ]

What types of data do employees access and/or store via personally-owned mobile devices?(Check all that apply.)

90%

71%

61%

53%

31%

30%

Standard email attachments

Work-related contacts

Personally-owned non-work files (photos/music/movies)

Non-sensitive file shares/documents/presentations

Confidential/sensitive work-related data

Sensitive or encrypted email messages/attachments


30/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



MALWARE WATCH

By 2014, employee devices will be compromised by mal-ware at more than double the rate o corporate-driven de-

vices, according to Gartner. So ar that hasnt happened;

despite industry warnings that hackers go where the op-

portunity lies. From a sotware publishers standpoint,

its a lot easier to write secure code or modern mobile

platorms such as Apple iOS and Google Android than it

is to sandbox programs and data, or example, on legacy

desktops.

Historically, Apple iOS has been proven to have theright mix o policy, process and technology to make the

bad guys avoid it, said Brad Arkin, chie security ofcer,

Adobe Systems.

With Android, I think its weaknesses are also its

strengths, he said. Because its so open, bad guys can

use side-loading mechanisms and trick people into load-

ing something malicious, but at the same time that open-

ness allows [organizations] like the NSA to put together a

secure version o Android including a secure broadband

connection back to the mothership, he continued. An-

droid also allows you to do security monitoring sotware,

which is not possible on iOS. O course, Android secu-

rity depends on several actorsplatorm avor, hard-

ware, updates and what kind o app stores you are using,

noted Arkin.

I dont think the desktop attack vector o going a-

ter people through email and browsers is going to be a

(70%) are never required, according to survey respon-

dents. O the 30% that do demand backups on employee-owned devices, 12% required it daily, 11% weekly, 5%

monthly, 2% hourly, and 1% o organizations limited the

personal device backup requirements to quarterly.

At the same time, 44% o organizations allow users to

access app stores on company-issued mobile devices and

reely download apps; however, our survey data indicates

thats a considerable decline rom the 52% o companies

that ollowed this practice in 2012. One-fth o compa-

nies in 2013 permitted their employees to download ap-

proved app stores and applications. About one-third o

organizations (36%) do not sanction any app downloads

on company-issued devices.

With close to 30% o organizations posing app store

restrictions, according to our survey, its not surprising

that 16% o respondents indicated that their organiza-

tions planned to build their own app stores.

Historically, Apple iOS has beenproven to have the right mix of policy,process and technology to make the

bad guys avoid it.

Brad Arkin, chief security officer, Adobe Systems


31/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



because it exposes native APIs, but mobile platorm

breaches overall remain rare. Even so, 65% o securityproessionals in our Enterprise Mobile Security 2013 sur-

vey viewed the Android platorm as carrying some level o

near-term problem or mobile devices just because the at-

tack surace is very dierent, and its not as attractive orthe bad guys, he added.

Android is oten viewed as an easier malware target

[ FIGURE 6 ]

What mobile malware threats pose the greatest risk to your organization? (Select up to three.)

64%

47%

45%

29%

29%

23%

20%

15%

12%

10%

7%

Data-stealing malware

Malicious applications

Unauthorized network access using mobile device

Root exploits/rogue software

Spam, phishing over SMS/MMS

Eavesdropping malware

Man in the middle attacks

Self-replicating malware

Zero-days in third-party software

Dialer malware (calls made to premium numbers)

Supply-chain malware


32/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISK

HORROR STORIES?!!



more companies to ollow the college and university

models by enorcing mobile security policies that governnetwork access instead o controlling personally-owned

devices.

MOBILE DEVICE POLICY UPDATESIn organizations with mobile device policies, 26% have

updated these documents in the past year, 14% within the

past three months, 7% within the past 30 days, 6% within

the past two years and 4% in the past three years or more.

The biggest drivers o recent mobile security device

policy updates, according to the Enterprise Mobile Se-

curity 2013 Survey: to satisy internal corporate require-

ments (20%), address new threats (17%), manage new

devices (15%) and compliance (11%). However, 13% o re-

spondents indicated other, while 59% didnt know.

Despite indications o a mobile tipping point, execu-

tives remain more involved in general IT security deci-

sions and policies, according to those surveyed, as shown

in Figure 7.Finally, which top three mobile security technolo-

gies did security proessionals expect their organizations

to spend more on this year? One-third o respondents se-

lected access control; one-quarter said data loss preven-

tion and authentication, ollowed by antimalware (22%)

and encryption (20%). Mobile device management (18%)

fnished sixth. Other security initiatives identifed or

risk. According to those surveyed, 38% o respondents in-

dicated that the Android platorm presented some riskto enterprises; 23% considerable risk, 4% an unacceptable

level o risk, 16% no notable risk and 19% had no opinion.

Figure 6 details which mobile threats respondents elt

posed the greatest risk to their organizations.

While mobile malware has yet to cause signifcant

problems, mobile device security policies may not be

keeping pace with the rapid developments in enterprise

mobility. One-fth o respondents claimed that their or-

ganizations didnt have mobile device security policies.

What?!

O those that did, close to hal (44%) do not requireemployees to read and sign the documentation.

On a positive note, more than hal (56%) indicated

that their organization required employees to read and

sign the companys mobile device security policy, but

thats a signifcant drop rom the 81% that reported that

requirement in our Q2 2012 survey.

As BYOD continues to take hold, Gartner expects

Mobile device security policies maynot be keeping pace with the rapid

developments in enterprise mobility.
http://www.gartner.com/newsroom/id/2211115http://www.gartner.com/newsroom/id/2211115http://www.gartner.com/newsroom/id/2211115http://searchsecurity.techtarget.com/tip/How-to-write-an-effective-enterprise-mobile-device-security-policyhttp://searchsecurity.techtarget.com/tip/How-to-write-an-effective-enterprise-mobile-device-security-policyhttp://www.gartner.com/newsroom/id/2211115http://www.gartner.com/newsroom/id/2211115


33/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISKHORROR STORIES?!!



increased spending include: remote access VPN (15%),

application control (12%), remote wipe (12%), policyconfguration and enorcement (11%), ActiveSync (11%),

and data containment (11%).

In our 2012 survey, roughly hal o respondents honed

in on the top fve: authentication topped the list (53%),

[ FIGURE 7]

How involved is your organizations executive team in defining and implementingsecurity decisions and policy in 2013 compared to 2012?

19%

26%

23%

5%

Much moreinvolved

Somewhatless involved

No more orless involved

Somewhatless involved

Much lessinvolved

Dontknow

23%

27%

24%

5%6%

21%

6%

16%

nMOBILEDEVICESECURITY

nGENERAL ITSECURITY

ollowed by data loss prevention (51%), access control

(50%), encryption (45%) and remote wipe (41%). What adierence a year makes. n

KATHLEEN RICHARDS is the features editor ofInormationSecuritymagazine. Follow her on Twitter@RichardsKath.
https://twitter.com/RichardsKathhttps://twitter.com/RichardsKath


34/34


EDITORS NOTE


SECURITYEDUCATION


SECURITY

THIRD-PARTY RISKHORROR STORIES?!!


TechTarget Security Media Group

TechTarget

275 Grove Street,

Newton, MA 02466www.techtarget.com

EDITORIAL DIRECTOR Robert Richardson

FEATURES EDITOR Kathleen Richards

SENIOR MANAGING EDITOR Kara Gattine

SENIOR SITE EDITOR Eric Parizo

DIRECTOR OF ONLINE DESIGN Linda Koury

COLUMNISTS Marcus Ranum, Gary McGraw, Doug Jacobson,

Julie A. Rursch, Matthew Todd

CONTRIBUTING EDITORS Michael Cobb, Scott Crawford,

Peter Giannoulis, Ernest N. Hayden, Jennifer Jabbusch Minella,

David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller,Ed Moyle,Lisa Phifer, Ben Rothke, Anand Sastry,

Dave Shackleford, Joel Snyder, Lenny Zeltser

USER ADVISORY BOARD

Phil Agcaoili, Cox Communications

Richard Bejtlich, Mandiant

Seth Bromberger, Energy Sector Consortium

Mike Chapple, Notre Dame

Brian Engle, Health and Human Services Commis

Documents

ISM July-August Final