CISOs adding risk management to their expanding portfolio
... risk officer) instead of the CIO Chief information security officers (CISOs) are increasingly adding risk management to their ever expanding portfolio of responsibilities, according to a new report by infosec social networking site Wisegate.
by Robert Westervelt
For years, the mantra of the security industry has been to get enterprises to look internally for weaknesses and activity that can raise a red flag to a malware-infected machine or an employee with malicious intentions. But how do you know how secure your partners and clients are?
It’s not difficult to see the security risks posed by a contractor taking care of payroll, a managed services provider, or the string of businesses that make up the supply chain. A breach at any of those businesses could have a serious impact your company’s security. An enterprise CISO or IT director has little control over the security of their partner networks. Managing business partner security risks has been left to putting in protections in service-level agreements. From a technology perspective, enterprises can review the logs to look for suspicious behavior if partners are given access to company resources.
Derek Gabbard and his team at Lookingglass Cyber Solutions aim to change all that. The company’s technology, which is being used by a variety of government and financial organizations, can map out the networks of partners and clients and apply a layer of threat intelligence data to determine if there are any potential compromises. The technology provides companies with third-party risk management capabilities.
Called ScoutVision, the technology can get information about a company’s business partner networks once the partner’s IP address range is fed into it. It bases its threat analysis on security vendor intelligence feeds licensed by Lookingglass, honeypots and other proprietary threat intelligence data. Lookingglass monitors communication in cybercriminal networks. It ties intelligence on botnets and malware attacks to trace a threat back to a network that has been penetrated.
The company boasts that nearly 40 separate distinct sources of threat intelligence data are used in the analysis. It looks at dark IP space and passive DNS data globally. The service can provide all the threat intelligence data it has about the entire network and describe, for example, if it has 20 to 30 bad hosts, Gabbard said. For example, if any Microsoft IP addresses have been communicating directly with a darknet, the company can characterize the nature of the communication to determine the nature of the threat.
Gabbard, who served as General Dynamics Advanced Information System’s program director for the United States Computer Emergency Readiness Team (US-CERT), told me that up until now companies have been focusing internally with little regard to the security of their partner systems.
I can’t find a company that is taking Lookingglass’ approach. SIEM systems such as HP Arcsight, and network appliances like RSA Netwitness or Solera Networks, don’t provide external network visibility in the same context, Gabbard said. The technology could eventually be integrated with a network appliance, he said. As CEO of Lookingglass, Gabbard is looking to extend ScoutVision to a broader set of customers.
So what does a company do with the threat data provided by Lookingglass?
Gabbard said he believes the information gleaned by the service can be actionable. The first commercial customers consisted of pilot projects conducted in 2010. So far the service has resulted in mainly reporting and phone calls to third parties. Some early adopters create reports and inform their partners of the potential security issues. Depending on their relationship, they’ll say “hey, your network’s messed up,” he said. “Clean it up or we’ll have to restrict access.”
The firm is gaining interest. In January, the fledgling company received $5 million in funding from Alsop Louie Partners, a firm that includes Gilman Louie, the founder and former CEO of In-Q-Tel – the investment arm of the Central Intelligence Agency. It will be interesting to watch if other security vendors attempt to take a similar approach with existing security appliances. The potential exists to apply the technology to companies with an extensive supply chain.
by Jane Wright
Ethical hackers hired by an organization to assess its vulnerabilities must always be careful to not “cross the line” and get themselves into trouble with the law. With all the computer security laws in the U.S., it can be a challenge for ethical hackers to ensure they are obeying all the laws.
But according to David Snead, an attorney in Washington D.C. who frequently represents IT security providers and consultants, it is possible to focus on just a handful of laws to avoid lawsuits and stay out of jail.
During a session at the Source Conference in Boston last month, Snead listed the overwhelming number of laws related to IT security in the U.S. But ethical hackers can focus on just three laws that are most likely to lead to litigation, according to Snead:
• Computer Fraud and Abuse Act (CFAA), which makes it illegal to access a computer or network without proper authorization.
• Wiretap Act, which can be applied to packet sniffing.
• Stored Communications Act (SCA), which can be applied to any email that was meant to be confidential.
Similarly, each state has different laws, and few organizations have the time or resources to ensure they are compliant in all 50 states. Snead recommended ethical hackers and security consultant assist their client organizations by ensuring they are compliant in just three states, at least initially. The three states should be:
• The organization’s own headquarter state;
• The state where most of the organization’s employees work;
• The state where most of the organization’s customers live or work.
In some cases, these three scenarios may point to just one or two states, making the consultant’s job that much easier.
In my view, Snead was bold to make these recommendations. Many lawyers, when asked which IT security laws their clients should obey, would probably say, “All of them.” But Snead’s advice comes from a real-world perspective, and it’s this kind of realistic advice that’s greatly appreciated by security practitioners — especially the many independent penetration testers out there — who are often grappling with their budgets.
Still, security pros must understand the risks of following this advice. As Snead explained, triaging the laws this way will avert most legal problems. But the pen tester’s client organization could still get tripped up by a lesser-known law if a creative prosecutor convinces the court it applies to the organization’s security practices.
by Robert Westervelt
8217;s guess how the FedRAMP cloud security initiative will pan out, but the pieces are coming together. Last week, the U.S. General Services Administration released an initial list of approved third-party assessment organizations (3PAOs).
Launched by the Obama administration in December, the Federal Risk and Authorization Management Program (FedRAMP) aims to set a standard approach for assessing the security of cloud services. The goal is to cut the cost and time spent on agency cloud assessments and authorizations.
3PAOs will assess cloud service providers’ security controls to validate they meet FedRAMP requirements. Their assessments will be reviewed by the FedRAMP Joint Authorization Board, which can grant provisional authorizations that federal agencies can use.
Here’s the list of accredited 3PAOs: COACT, Department of Transportation Enterprise Service Center, Dynamics Research Corp., J.D. Biggs and Associates, Knowledge Consulting Group, Logyx, Lunarline, SRA International and Veris Group.
If you’re wondering how these companies became 3PAOs, they had to submit an application demonstrating technical competence in assessing security of cloud-based systems, according to the GSA. They also had to meet ISO/IEC 17020:1998 requirements for companies performing assessments.
When I wrote about FedRAMP earlier this year, the program drew praise, criticism and cautious optimism. Will it get bogged down in bureaucracy? Will it become simply another paper-pushing compliance exercise? Will it help advance cloud security standards for the private sector? Hard to say how long it will take until we know those answers, but at least FedRAMP appears to be on schedule. With the release of the 3PAOs, the program moves closer its target of becoming operational next month.
I’m planning to speak with one of the 3PAOs tomorrow; hopefully I’ll have some additional information from that interview about the 3PAO process and FedRAMP in general. If I do, I’ll post it on SearchCloudSecurity.com.