CISOs Must Change With the Times

In years past, the Chief Information Security Officer (CISO) role focused on IT needs and internal security. Many CISOs only influenced their own departments, according to the Computer Business Review. They had to wheedle funds from within their organizations. They reported directly to CIOs or CEOs, but were not involved in any Board interaction.

Today, CISOs face changing technology developments and security requirements, as well as a growing awareness outside of IT departments that these needs are so intrinsic to the performance of any company that the CISO must be a partner in company-wide decision-making processes.

CISOs are increasingly called upon to serve as a bridge between tech rooms and the board room. Just as workplace dependence on technology increases, so does the need for buy-in at all levels to understand threats, how to mitigate them, and how to bring departments together to do so. In the coming years, we’ll see more CISOs in the board room, sitting at the table with major decision makers to ensure risk assessment and other technology needs are considered with every business move.

This also calls on CISOs to embrace more “soft skills.” Think business school instead of engineering school — the ability to translate tech-speak into broadly understood needs and goals, and the business savvy to see them implemented company-wide.

This is how security leaders themselves see their future. “The role of the CISO today now requires new skills such as business acumen, risk management, innovation, creating human networks, and building cross-organizational relationships,” writes Bill Bonney, a CISO and security analyst, on a series of LinkedIn posts.

Bonney’s dual roles highlight the other change in the CISO job description. As Katz told the magazine, “In the next five to ten years, it will become two roles – the technology expert and the information risk expert.”

Monitoring PCs and other company-issued devices, and non-company issued, has become just a part of the CISO’s role. As more of our workspace technology shifts outside of direct control–cloud data storage, third-party software contracts, employees’ own electronic devices who blur the lines between personal and business technology usage–the job description has been rewritten. The stakes are higher and the risk keeps growing, as more and more information moves online.

Mike Kalac, the CISO of Western Union, told one industry blogger:

“The most important thing to understand is not technology, it’s risk management. Security is not a binary function… we aren’t ‘secure’. We have a spectrum of risks that we will manage to the best of our abilities.”

Nothing can be 100 percent secure, he notes, and some firms will decide to accept certain risks for the sake of their specific business needs.

But making those decisions increasingly means having a trusted CISO who can navigate the management waters and the boardroom as well as they manage IT offices.

How DFARS Impacts Your Business

What do the new DoD DFARS (Defense Federal Acquisition Regulation Supplement) subpart 204.73 rules mean for contractors?

If you contract with the DoD, or work with a firm that contracts for the DoD, it’s vital to understand the security of every part of your network, whether it’s a laptop in your office or a server half a country away.

The rules basically require business owners to understand every aspect of a data chain. That includes second- and third-tier suppliers, including those that handle cloud storage — if there’s a violation, the contractor is held responsible for understanding any leaks the subcontractors might have contributed. It also includes connections between the cloud and what ends up linking to the DoD, as well as the employees of any subcontractors or suppliers, so you can be assured that no one who has access to your information via working in the cloud can cause a rupture in the security chain.

“The biggest thing your company needs to do is have an assessment done as soon as possible,” says the Association of Procurement Technical Assistance Centers’ blog.

Alexander W. Major, an associate in the Government Contracts, Investigations & International Trade Practice Group, writing in The National Law Journal, agrees:

“Contractors and subcontractors have been drafted into a fight to secure and defend their country’s data from the looming threats of cyber criminals and cyber-terrorists. All contractors need to plan accordingly – IN ADVANCE OF AGREEING TO GOVERNMENT REQUIREMENTS [capitalization Major’s]– if they expect to do business in accordance with the regulations being imposed by all executive agencies.”

Contractors also carry the burden of understanding exactly which government rules apply to them. As law firm Holland & Knight explains, regulations from different agencies can be contradictory:

“That data could be subject to one standard under a DoD contract and another standard under a civilian agency contract. Accordingly, there is no one-size-fits-all process for determining what cybersecurity compliance will look like for government contractors. At this point, a contractor may want to determine the most stringent controls potentially applicable to its mix of contracts and types of information and measure the adequacy of its information assurance systems against that standard.”

Proving this point, notes that the Office of Budget Management is also working on it’s security rules — which was opened for public comment — and will work in addition to, but likely dovetail with, DoD requirements.

In sum: Figure out which rules are the most stringent when it comes to your business, and follow those, all the way through to the lowest-tier supplier.

Businesses will also need to explain how they will track any “spillage,” notes another law review article. That means contractors will need to have plans in place on how to deal with problems well before they arise.

Ideally, your firm will have a solid grasp of all the regulations that apply to your business, and abide by the most stringent ones in order to ensure that you’re fully compliant.

It’s not easy to track every potential risk to your information so that you can accurately report those details should the DoD come calling. But now, it’s more vital than ever to know the answers. Your business depends on it.

How Safe Is Your Cloud?

Knowing the answer, down to the most obscure-seeming data point, could be the difference between successfully navigating government contracting, and closing up shop.

New rules rolled out at the end of August codify the Department of Defense’s cybersecurity policy, including the responsibilities of DoD contractors and subcontractors when it comes to information security. The new “interim rule” pulls together some requirements already scattered through other acts and memorandums, but adds some new items.

And in early October, the federal government made it clear that these are not voluntary regulations, but instead requirements for doing business, according to The National Law Review.

Some 10,000 businesses will be impacted by the changes, according to

The Small Print (Some of It)

Data breaches have become such a major concern that the DoD says “urgent and compelling reasons” pushed authorities to issue the new rules without any public comment, effective immediately. Likely weighing heavily on their minds was an alleged Russian spearfishing attack against the Pentagon just weeks before the August announcement.

Ultimately, the issuances demand a closer examination of data security and resources along every step of a defense contractor’s supply chain.

Essentially, contractors must report any incident that impacts “covered defense information (CDI), a covered contractor information system (a federal contractor’s information system that handles CDI), or on a contractor’s ability to provide operationally critical support” according to one trade organization. In return, the DoD promises to protect proprietary information on behalf of the contractors should they need to investigate.

The Government Contracts, Investigations and International Trade blog from the law firm of Sheppard Mullin lays out the changes in great detail. It’s worth reading the entire post. Some of the highlights:

  • The DoD has expanded the definitions of the unclassified information that, if involved in a potential “incident,” contractors are liable to report.
  • The burden of following the new rules falls on contractors. Those who can’t follow the new rules will have to prove why it’s impossible or inapplicable.
  • Contractors must report whether their work utilizes cloud computing, and includes wording for contracts.

Additionally, all cloud computing facilities must be located in the U.S., another law journal post notes, and firms must be able to explain how they will track everything and work with the DoD should the worst happen.

Businesses have 72 hours to report any breaches — the clock starts as soon as the problem is discovered — and reporting happens via a DoD website. Law firm Holland & Knight reports that it’s up to the contractor to investigate the scope, as well as the circumstances while the DoD reserves the right to dive into systems to check the breaches themselves.

And if you think there is wiggle room because you may be a small business with only a handful of employees? Think again–there are no exceptions for small businesses.


Is Your Home Security System Actually Secure?

The news shocked the car and tech industries: Two hackers accessed the control systems inside a Jeep Cherokee — and they weren’t anywhere near the driver’s seat.

Using a vulnerability they found in the SUV’s WiFi-enabled control system that utilized a cellular connection via Sprint, the hackers were able to control almost everything from the brakes and steering to the door locks, according to a report released this July. They could potentially override a driver from some 70 miles away.

Fiat Chrysler recalled well over 1 million vehicles due to the findings. Part of the problem was that the company couldn’t develop a patch to fix the issue.

The Internet of Things is everywhere, from our kitchens to our backpacks to our garages. And yet, as the technology develops, so do potentially dangerous security holes, and it’s not limited to hacking a single machine — some of these connected devices could potentially put a whole network at risk.

This summer, several agencies have banded together to create best practices to help both manufacturers and customers navigate this new arena of growth and risk.

The Online Trust Alliance (OTA) Internet of Things (IoT) Working Group that includes ADT, Microsoft, Symantec, TRUSTe and Verisign released a framework for security for IoT connected devices that aims to encourage companies to share security information and best practices as well as a code of conduct, and create criteria by which firms should judge security.

“We’re focusing on three pillars,” Craig Spiezle, OTA’s executive director and president said earlier this year. “Privacy, security and sustainability. By sustainability, we mean lifecycle issues beyond the traditional product warranty. Such as, how will it be patched? What happens if the company is no longer in business?”

As an example of this, two other experts found an outdated browser that had a known vulnerability linked to the high-end Tesla cars. Who is responsible for the patch? And what would happen if Tesla went out of business?

Providers, Spiezle says, “must look at security and privacy simultaneously. Second, they need to look at the flow of data and touch points, and hold their partners and service providers accountable.”

It’s not enough, in other words, to monitor product development. Companies also need to monitor the development and assessments of all their vendors.

Bob Wang, founder and CEO of the company that produces the table-top electronic pressure cooker Instant Pot, recently released a Bluetooth-enabled device, which allows mobile devices to “talk” to the cooker and program basic heat and cooling steps. Some have questioned the usability of the Bluetooth, and WiFi connectivity may have potential. But WiFi capability rushed to market could create a breach that allows a hacker access to a homeowner’s network — on all of that home’s devices — Wang says. Or worse, allow hackers to worm into the Instant Pot servers and potentially all of the homes connected to that server.

And that’s just for one piece of equipment, in a relative handful of homes, that takes up less space than most microwaves. Multiply that potential out to almost every home tool or appliance, from keyless locks to refrigerators that Tweet, and the future may seem exciting — and petrifying — without some kind of protocol or safety net.

The formal IoT framework should be finalized around mid-November.

How Even the Smallest Microchip Can Be A Supply Chain Vulnerability

Globalstar’s Simplex satellite network has become a leader in tracking and communications uplinks. Many organizations use Globalstar products to monitor assets in remote locations, from military personnel abroad in the field to cargo trucks traveling cross-country.

So when a researcher at the Black Hat cybersecurity conference reported that he could not only hack into and see data on the Globalstar’s Simplex satellite network, but he could upload his own data — that caught a lot of attention.

Colby Moore, of the network security company Synack, says with about $1,000 worth of equipment he was able to access the Simplex system, as the company’s STX3 transmitter doesn’t encrypt the data before it sends it.

Globalstar says that most of its business comes from small satellite phones, both mobile and stationary in remote areas. But its technology is also used in trackers on Congo shipments and trucks. Hacking the system, as Moore says he was able to do, offers the frightening potential to track a cargo or military shipment, and also potentially upload misleading information.

Imagine a terror scenario of someone tracking a shipment of military hardware — and then uploading information so the government believes the truck is in-bound, when in fact it’s been taken. The same could potentially happen with a drug cartel invading a food shipment to sneak illegal substances across the border.

Besides the ability for adversaries to see where assets may be located, if they can change what you see, the threat becomes so broad it is much more difficult to respond effectively.

Moore’s research has touched off a controversy that has pitted security experts against each other, with outsiders demanding more proof of the safety of Globalstar’s security protocols and others see this as exemplifying a worse case scenario in a connected world that’s not protected nearly enough.

Globalstar has fiercely defended the security of the network and data. Leaders point to all of the good work it has done, including a touching story of the connection a soldier in a remote location made with his family back home.

The company has also countered that it is continuously updating its security. For larger purposes, such as major cargo or government needs, Chairman and CEO Jay Monroe says that those agencies add their own layers of security as well.

“Globalstar is, in the simplex world, a purveyor of a little piece of end technology that someone builds into something else that they want to do,” he told Satellite Today. “So, if they are going to be tracking nuclear waste for the federal government, you can be very certain that that signal is encrypted.”

Of course, that puts more pressure on agencies that handle sensitive materials such as nuclear waste to make sure they understand any potential risks involved with all of the equipment they’re using, down to the smallest tracking chip — and that the agencies are doing their best to mitigate those risks, including establishing their own risk assessments, vendor vetting, and security protocols.

A Summer Season of Spear Phishing

Spear phishing: A cyber attack typically sent via an email message that appears to come from a trusted source and requests that the victim take some kind of action. The actual attack might be hidden in Web links in the email or in an attachment, and the sender likely knows enough about the intended target to fake messages that seem more real than spam. The goal: Collect personal information or information about an agency.

If this scenario sounds familiar, it should — these kinds of scams have been around for more than a decade. The FBI has been warning the public since at least 2009.

Presumably, savvy users — and savvy offices — have protections in place. But just as technology has improved, so have the techniques of nefarious actors. And no one is safe — not when the U.S. is accusing Russia and China of separately hacking major federal government installations, including the White House, the State Department and the Pentagon — all of which occurred just this year, the most recent a few weeks ago.

For the first set of attacks, experts told CNN they believed that the scammers obtained access to the account of someone in the State Department. That was enough to gain a foothold to send seemingly trusted emails to others in the government, and start seeding the attack. The breach was apparently discovered when the White House picked up on strange activity in a network that wasn’t classified, and codes seemed to tie the problem, via several servers, back to Russian hackers working for the government there.

The Pentagon shut down the entire email and Internet of their unclassified system for about two weeks in July, after that email system was hacked. NBC News reported that Russia was the likely culprit. There’s also been reports of terrorists, such as ISIS, using sophisticated spear phishing attacks against Syrian interests — and fears that energy providers globally may be next.

This is an example of a convergence of insider and outsider threats. Insider threats, both accidental and malicious, represent someone inside your organization who knowingly or unknowingly reveals information that can be used as an attack against your business. Outsider threats represent attacks from outsiders. In these spearphishing cases, an insider releases information, often unknowingly, that can be used by outsiders to lure others into an email trap.

The fix for this isn’t easy. It’s no longer enough to simply look for obvious scam notices from a Prince of Nigeria, or to warn employees not to download links from strange emails. Staff need to understand what they’re facing, what precautions they should take, and what to look for. It’s vital to understand the ties every vendor has, no matter how innocuous the person, the job, or their associations may seem. One person, with one page from an employee’s personnel file that was tossed in the trash, has the potential to throw a phishing line into your whole system.

Global Business Environment Poses Increasing Risk to Supply Chains

Visible Dangers

While historically organizations have focused on physical security, resiliency, and logistics to manage their supply chain risks, with the globalization of the economy and the emergence of cybersecurity risk, a more comprehensive approach is required. Cyber risks attack, disrupt, destroy, and compromise the integrity of components across manufacturing and distribution supply chains, creating risks that bridge agencies, departments, and organizations.

Cyber risk is especially acute in critical infrastructure sectors that utilize globally interconnected business environments to produce information technology (IT) components and systems. IT hardware, software, and service providers are increasingly outsourcing manufacturing and production to regions of the world that actively target U.S. technologies, exposing not only their supply chains, but the supply chains of their customers.

Interos recently published a white paper presenting some of the key findings identified from risk assessments of over 60 vendors for a Federal Civilian Agency. Interos found that 92% of all assessed vendors were connected to at least one country outside the contiguous US, reflecting the pervasive nature of our Nation’s globally interconnected business environment and highlighting the need for increased oversight, control, and transparency.

Hidden Dangers Exposed

This data suggests that a significant portion of the U.S. Federal Government’s vendors assessed extensively manufacture goods abroad, specifically in sensitive countries in Asia. This trend is especially alarming considering East Asia and the Pacific are responsible for over half of all reported 2013 cyber collection attempts as reported by the Defense Security Service (DSS).

Additionally, the assessments linked roughly a quarter of all assessed vendors to insider threat indicators, cyber vulnerabilities, and politically exposed persons (PEPs). These trends characterize a relatively risky IT environment, where vendors are more focused on improving efficiency and reducing operating costs than they are on managing security and safeguarding National Security Systems (NSS).

Examples of risky vendors Interos identified and helped the U.S. Federal Government avoid include:

  • An IT Services vendor supplying a Federal Civilian Agency that had employed a Chinese national who was indicted on five felony charges for allegedly stealing information about the Department of Defense’s jet fighter program.
  • An Information Communications Technology (ICT) vendor supplying the DoD that utilizes non-authorized manufacturers and resellers with a robust history of selling counterfeit cellular equipment.
  • A Physical Security Management vendor supplying a Federal Civilian Agency was identified as having a Tier-1 supply chain comprised entirely (100%) of companies in Hong Kong, Taiwan, and China.

By not purchasing products from these vendors, the U.S. Federal Government avoided millions of dollars in cybersecurity mitigations and countermeasures that would have been required to offset the discovered cyber vulnerability. Additionally, and more importantly, the U.S. Federal Government avoided the potential compromise of its NSS, critical infrastructure, as well as its employees’ personally identifiable information (PII).

Click here to download the full white paper.

Compliance Week: Eliminating Cyber-Threats From the IT Supply Chain

The full article by Jaclyn Jaeger, published April 28, 2015, can be found on Compliance Week.

The longer a global supply chain grows, the less visibility and assurance corporations have into the integrity and security of their products and operations. Now NIST is trying to pierce that fog, and compliance officers in the private sector might want to take notice.

Earlier in April the National Institute of Standards and Technology issued its latest guidance, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations”—a 282-page missive on how to better manage the supply chain for technology products, to root out cyber-threats that might leave a piece of IT equipment compromised or simply malfunctioning. NIST’s guidance is intended for government agencies acquiring lots of IT and communication technology, but the principles behind it are just as useful elsewhere.

“Every organization relies upon technology, whether it’s in their manufacturing processes, their products, or services, or if it’s to enable their business activity,” says Jon Boyens, a senior adviser for information security at NIST and co-author of the guidance.

In today’s globalized world, the components of a laptop or a cellular phone, for example, are routinely manufactured in many different locations, while assembly of the final product may take place in yet another part of the world. Now imagine how much more complex that supply chain becomes for a much larger system, such as the avionics in a commercial airplane or a communications network for the military.

“Each access point into the technology, which ultimately is assembled into one product or service, creates risk,” Boyens says. Hackers might try to embed malicious software within those components, or poorly trained workers might just assemble a bad part. Either way, the threats to the supply chain are many, and the final result is the same: an untrustworthy product, that you might not even know exists.

“Cyber-supply chain risk management is still a fairly nascent discipline,” Boyens says. “I would say it’s where traditional supply chain risk management was about 15 years ago. It’s still developing.”

Risk Management 

One part of the guidance describes three tiers of risk management to help organizations integrate ICT supply chain risk management (yes, there’s an acronym for that: ICT SCRM) effectively. They are:

Tier 1: Organization. In this tier, the company’s executive leadership team defines the company’s overall ICT SCRM strategy, policies, goals, and objectives. These activities “help to

ensure that ICT SCRM mitigation strategies are cost-effective, efficient, and consistent with the strategic goals and objectives of the organization,” the guidance states. This tier is also responsible for establishing a risk tolerance level for ICT supply chain risks.

Senior leadership support is “non-negotiable,” says Jennifer Bisceglie, president and CEO of Interos Solutions, a consulting firm that works on supply chain risk management. It must be connected to the business objective, she says, or leadership will not support it.

At the organization tier, another step is to establish a team with roles and responsibilities for leading and supporting ICT SCRM activities. “We advocate a team-based approach,” Boyens stresses. The specific functions that may be involved in managing ICT supply chain risks can include compliance, risk, legal, IT, supply chain and logistics, acquisition and procurement, and other relevant functions, he says.

Click here to read the rest of the article on Compliance Week.

The Nexus of Supply Problems, Part Three: Executing a Supply Chain Risk Management Process

Prioritizing risk shouldn’t be an ad hoc process. Just as we discussed how lower-tier suppliers can sometimes prove pivotal to an entire process once every step in the chain has been analyzed, so too we can take a data-based approach to examining which steps in the chain could have the greatest impact on a business should calamity strike — and ideally, conduct cost comparisons as well, so decisions makers can understand what’s best for their bottom line.

Take Sony, for example. In 2011, a major breach in the PlayStation Network, which linked to the popular PS3 game system, cost the company some $170 million to fix. Execs took the whole system off-line, brought in forensic analysts and offered customers free games and identity theft protection, according to Computer World magazine. Fast forward three years, and another data breach, this time targeting the motion picture arm of Sony’s mega corporation, flooded gossip rags with days’ worth of fodder about the inner workings of the studio.

The first hit has been tied a lawsuit the company brought against an American hacker, while the more recent incident, from November, looks like a North Korean attempt. At least one expert has said that the breach was so sophisticated, 90 percent of the Internet’s defenses would have probably been just as vulnerable. But it has also raised questions as to how serious Sony takes the confidentiality of data, given that major hacks occurred just a few years apart.

Clearly data security is a major potential problem in the supply chain that Sony uses to bring entertainment of various forms to customers. While the firm spent $170 to mitigate the 2011 attack, the 2014 version begs the question of whether the company was shortsighted in not spending even more — and eventually lost out a second time.

Truth is, there’s no perfect system. But planning can make all the difference.

“The unfortunate reality of today’s complex global marketplace is that not every security compromise can be prevented beforehand,” writes Steve Durbin, managing director of the Information Security Forum (ISF). “But being proactive now also means you, and your suppliers, will be better able to react rapidly and intelligently when something does happen.”

In previous posts we’ve discussed how to adopt an SCRM program, and how to get started. It takes some effort, such as evangelising to make sure everyone is on board. But it’s all about making informed choices. Thorough, thoughtful analysis of a chain, be it one delivering data or physical goods, allows management to assess the cost of risk, and decide where to invest to head off the worst — and how to plan for the inevitable.

Take the Sony example. One story suggested that the company had let go some security personnel in between breaches. We don’t know why that occurred, but consider a firm that might, for example, need to shrink payroll and decide IT security has some extra positions. But a supply chain risk assessment might have found that keeping a few more employees might have been worth it in the case of a costly hack attack.

Which would you rather be — a Sony putting out multimillion dollar fires, or a Nissan lauded for smart planning in a crisis?

The Nexus of Supply Problems, Part Two: Understanding What’s At Risk

Lower-tier suppliers in your chain can pose unexpected risks, and those risks may lie in unexpected places, as we discussed in our previous blog post.

But let’s also talk about the other end of that equation — the fallout to your business, and your business’ reputation, when those risks are allowed to occur.

First, your brand and reputation can suffer. Imagine if you’re Apple, and there’s a problem with the second tier supplier that provides key components to a cell phone, that are then shipped to another factor that builds the actual phone, then ships it to American consumers. Customers start complaining that their new phones don’t work, and suddenly a very high-profile company has a very high-profile problem that could severely damage their reputation.

And it’s not just physical goods that can suffer hiccups enough to damage a company.

  • Automated inventory systems: These systems can form of the crux of a supply chain, but if the second-tier supplier who makes the software miscalculates, it can lead to major business failures. Some of the biggest supply chain disasters were tabulated by Supply Chain Digest in 2006. While almost a decade old, the lessons still stand — firms from Toys R Us to Nike and Adidas tooks severe hits to their reputation. They needed years to recover in some cases, if they recovered at all.
  • Customer data profiles: Many mid-sized or smaller firms have a third party process online orders, for example. If that third party has a data breach that compromises buyers’ private information, it’s the original company that has to break the bad news — and take the hit to its brand and reputation. This could come from a hacker, from malware, from intentional or unintentional breaches — anywhere there’s a weakness that can be exploited. According to Information Age, “55% of the 2,000 respondents stated that they were ‘not at all likely’ or ‘not very likely’ to do business with an organisation that had suffered a data breach involving credit or debit card.” Not all breaches involve payment information, but that’s an example of the potential impact.
  • Local crisis: Congolese mining firms that violate human rights, or an Asian firm that pollutes the environment, could cause major reputational headaches for Western companies, enough to negatively impact their reputation and brand. “Suddenly, you are an unknowing criminal in the web of globalization,” writes one executive. This may come from not fully vetting lower-tier sections of the supply chain.

And most firms aren’t prepared to deal with these kinds of potential issues throughout their supply chain, according to a 2013 study by MIT and PriceWaterhouseCoopers. They found that 59% of firms surveyed had “immature” supply chain management. Maturity is based on seven categories, quoted below:

  1. Risk governance;
  2. Flexibility and redundancy across the value chain;
  3. Alignment between partners in the supply chain;
  4. Upstream and downstream supply chain integration;
  5. Alignment between internal business functions;
  6. Complexity management/rationalization; and
  7. Data analytics.

Companies that had made those assessments suffered profit dips of less than 3 percent when a problem arose.

A positive case proves the point too. Nissan could have suffered a major blow after a historic earthquake hit Japan in 2012, and shuttered the vast majority of the country’s manufacturing — including those that supplied goods to the international car manufacturer. But Nissan had analyzed their supply chain and braced themselves for disruption to such an extent that they now serve as a textbook case, cited by the MIT study, of the benefits of doing supply chain analysis right, and why it’s worth doing so.

We’ve discussed what’s at stake when key nexus suppliers fail, and how it’s not just things but also data and your firm’s reputation. In a third post, we’ll discuss how to mitigate problems you do find.