November 2020 - Fractional CISO

Three Keys to a Great Internal Audit

November 19, 2020

I don’t remember much about middle school.

It was the 80s, though, and things were certainly different back then. We had real chalk boards (with erasers that needed periodic clapping), gender-separated gym classes, and junk food and soda in the vending machines.

One memory, in particular, has stayed with me. It happened in science class when a careless student (no, it wasn’t me) accidentally broke a mercury thermometer.

Mercury, of course, is highly toxic. So the teacher evacuated the room, opened the windows, put on gloves and a mask, and cut away the carpet where it spilled. Then he put the spilled mercury in a secure container, and we were kept out of the classroom for several days while the school monitored for vapors.

Of course, I am totally kidding! It was the 80s, remember? He told us to move away from the spill, swept it up, and went right back to teaching. I’m not even sure he washed his hands.

Yesterday’s Rules No Longer Apply

You’d be shocked if a present-day science teacher responded to a mercury spill the way mine did thirty years ago. And that’s understandable; best practices, across all industries, change over time.

In cybersecurity, though, they change very, very quickly.

Here at Fractional CISO, we tend to have two distinct types of clients: those whose companies were formed within the past three years, and those that are older (some, significantly older).

Three years may not seem like a long time. But these older companies began before “current standards” were developed. As a result, we have found all sorts of security “mistakes” – practices that were not mistakes as recently as three years ago.

These include things like HTTP not redirecting to HTTPS, servers or applications that have not been updated in several years, or using outdated cryptographic algorithms.

Notice that I am not talking here about anything that is actually “broken” – the technology is running just fine in terms of supporting its business users. It’s just that in many cases, and even though these companies have “good security practices,” if the same project/function were begun today, it would happen in an entirely different way.

Everyone Needs an Internal Audit

If you are an “old” company (pre-2017), the key to ensuring that your technical teams are not simply “sweeping up spilled mercury” is to perform a periodic, internal audit. Done well, these contain three elements:

1. Independence.

Select an internal auditor that doesn’t have a stake in the department. This person need not be an employee (we do these regularly on behalf of our clients), but if they are, they should be free from the constraints and biases that a member of a given department will bring.

2. Functional Breadth.

Make sure your internal audit spans all areas where security vulnerabilities may exist:

Access Control – Who has access to what? Has that person left the organization? Do all of these people need this level of access?

Change Control – Is the organization documenting key system changes properly? Can you figure out if employees are making approved changes or doing random updates?

Assets – Do you have comprehensive lists of all of your devices and applications?

Configuration – Are your cloud permissions and firewall rules set up correctly? Are you updating your systems?

Vendors – Are vendors following your policies? Do they have strong cybersecurity controls?

Alerts and Notifications – Are people looking at alerts? Are they being resolved in a timely manner?

Incident Response Processes – Do people know what to do if an incident occurs? Do they know who they should contact?

Backups – Are you backing everything up correctly? Is it encrypted? Have you tested restoring data?

3. Frequency.

Internal audits should be performed quarterly for some activities, annually for others. Whatever the specifics, you need to create a schedule and stick to it (audits are notorious for being back-burnered!).

Do these even if you don’t quite know how. You’ll get better over time; when it comes to internal audits, something is better than nothing.

Final Thoughts on Internal Audits

In general, new companies don’t have these types of legacy problems. Unfortunately, in the world of cybersecurity, legacy means three years. Just because you were aligned with best practices at one point, it doesn’t mean you are anymore.

A robust internal audit is critical to ensuring that you are operating securely AND that you are living up to whatever is in your contracts with customers or that you claim in your literature regarding the protection of other people’s data.

I’ll be checking the vending machine for Bugles if you need me.

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter, “Tales from the Click.” https://fractionalciso.com/newsletter/

Password Hints: Could your ex guess your password?

November 12, 2020

The first passwords I used as a kid all featured my first and favorite Pokémon, Mudkip.

Sometimes I would include a number (mudkip96), or a number, uppercase, and a special character (Mudkip96!), but the passwords all featured my favorite fictional axolotl nonetheless.

Axolotls are amphibious salamanders. Photo via ZeWrestler on Wikimedia Commons.

It was easy to remember and if I ever did forget, the password hints “What is your favorite Pokémon?” would always be there to help me remember! Unfortunately, password hints are just as helpful for would-be-attackers as they are for you.

One day, my little brother was able to guess my password to “hack” into my laptop.

Thankfully, he didn’t have any malicious intentions. He just needed to print an assignment for school while I wasn’t home – and it’s not like a 12-year-old has bank accounts or sensitive documents that could be stolen anyways. Still, it counts as an account compromise.

Vector of attack? Password hint.

Password hints help your attackers too.

When you create a password with a piece of information about your life – as most people do so they can remember the password – you are giving attackers another way in. A brute force attack is a waste of time if the attackers can just accurately guess the information relevant to you.

The attackers don’t have to actually know anything about you, or be family, to succeed with this method either. Not with the social Internet.

Say you have a pet dog, Shadow. You really love Shadow and you’ll never forget the day you brought him home, December 12. You can incorporate both of those into a nice, easy-to-remember password. You can even include a vague hint that should be enough to remind you without being too specific.

Password: Shadow12

Password Hint: Doggie

Perfect, right?

Well, considering the fact that you’re reading an article about how accounts are compromised by way of password hint, the answer is obviously no!

You love your dog so much you made the following post to Twinstabook.

“Happy ‘Gotcha Day’ to my favorite pupper, Shadow! Can’t believe he’s been in my life for five years now.”

December 12, 2019

That’s enough information for bad guys to guess your password. Worse yet, if you’re like most users, you have a variation of that same password on most websites. Now multiple accounts have been compromised.

XKCD Encryptic: Turning a Breach into a Crossword Puzzle

Password hints are also a liability in the event of a data breach, as Adobe and Adobe users painfully discovered during a data breach that released details for over 153 million accounts in 2013 – including password hints.

Clues intended to help users maintain access to their accounts became shortcuts for attackers to gain access either through simple guesswork, or by giving their brute-force password guessing programs a set of parameters to work within.

For less-malicious people who try to find the games in life, the password hints became a crossword puzzle.

While xkcd author Randall Munroe was inclined to pick silly hints for entertainment purposes, the actual passwords and hints this breach revealed were no laughing matter. The breach cost millions of users their security and credit card data, and it likely cost Adobe millions of dollars to clean up. Plus, the most commonly used passwords are shockingly easy to guess, especially with hints.

Someone was inspired by this xkcd comic and created 10 actual crossword puzzles using passwords from the 1,000 most commonly used passwords in the breach. The clue for each blank is up to 50 of the most commonly used hints for each password.

The crossword puzzles are fun and you can play them here, but the fact that it works at all is frightening from a cybersecurity standpoint. I won’t ruin all 10 puzzles, but there are a few commonly-used passwords and hints worth highlighting.

One concerning combination was this:

Password: asdasd

Most Common Password Hints: asd, dsadsa, asdasd1, asdasdasdasd, easy, keyboard, usual

There is a nonzero number of people using “asdasd” as their usual password and saying as much in their password hint! They’re attaching their credit card information to this account – and likely storing other valuable information between this password too! It shouldn’t take a cybersecurity professional to tell you that this is a bad practice.

Here’s another common password:

Password: shadow

Most Common Password Hints: dog, cat, pet, horse, hedgehog, pet’s name, dog’s name, doggie, dark, usual

Using a pet’s name as a password is a common practice, and it turns out Shadow is a very common name for dogs, cats, and even horses. Again “usual” turns up – confirming the common malpractice of password reuse.

Here’s a veritable classic:

Password: password1

Most Common Password Hints: password, pass, pw1, usual, passwordone, obvious, my password, facebook, regular, same as always.

Here’s a piece of cybersecurity advice: never use “password” in a password!

Unfortunately, the most common user behavior is to follow the path of least resistance. This means easily-memorized passwords, used repeatedly with minimal variation. While some people use vague password hints, others go so far as to literally stating the password in the hint.

Many users will even reuse passwords they created for personal accounts when signing up for business-related services. Imagine if one of your employees used “password1” or “asdasd” for all their personal and business passwords: now a customer-facing data breach could lead into a business account compromise.

What is to be done about password hints?

The unfortunate truth is that millions of people use weak passwords and reuse them for almost every single service or account they sign up for – and that goes for personal and work accounts alike.

The best way to handle this issue is to throw out password hints and user-generated passwords altogether. While we can’t change the foundation of password-based account security, we can use tools to build a better system on top of it.

Goodbye password hints, hello password managers.

A password manager is any tool that saves passwords for later re-use.

Bad passwords are short, simple, easily-guessable, and reused. Good passwords are long, complex, and never reused ever.

Examples of bad password managers include: a Microsoft Excel spreadsheet titled “passwords,” and a notebook in which you write all of your passwords down. While both of these methods might make it easier to remember complex passwords, they don’t make them easier to type in. The Excel spreadsheet isn’t very secure itself, and they’re also just inconvenient enough that users will feel compelled to slip back into bad habits.

On the other hand, great password managers are dedicated programs or services that make it much easier to use good passwords, from start to finish.

They accomplish this with features such as secure password generation, so the user doesn’t need to invent some weird (but secure) string of text, numbers, and characters. Then, passwords are saved to an encrypted location so they are secure and can’t be lost (unlike the Excel file or notebook). When logging back in, an autofill feature can automatically populate the right username and password. That way, the user never even needs to remember whatever text string the generator created.

Logging in and staying secure becomes as simple as a couple of clicks – of course users are going to prefer that to trying to remember if they capitalized the P in “Password1” or not!

Company Password Policy

If you are a business leader and are concerned about the threat password hints and password reuse pose to your company, you can mitigate the threat by creating a good password policy.

A good password policy should require the use of a password manager and ban the reuse of passwords, especially the reuse of personal passwords for business accounts.

At Fractional CISO, all users are required to use a password manager to create and store their passwords. Password reuse is not permitted, and it’s easy to avoid. Password managers are not a one-size-fits-all type deal, and there are lots of great options out there to consider for the needs of your business.

You should also require the use of multi-factor authentication for every account or service that allows it. That way, users should catch any suspicious login attempts before damage can be done.

Even if you’re not a business leader, you should definitely follow all this advice to keep your private information secure too!

The Bottom Line on Password Hints

While Pokémon fansites don’t tend to store credit cards, social security numbers, or secret business data, tons of websites that hundreds of millions of people use every day do. Frighteningly, their minimum security and authentication requirements probably aren’t that different!

Pick a username, pick a password, add a password hint, and/or add recovery questions. (Recovery questions, by the way, aren’t secure either.)

Practice better security than a 12-year-old! Don’t use passwords so easy that anyone can guess them. Do use a password manager to create secure passwords and never reuse them.

Now if you’ll excuse me, I’m off to have a Pokémon battle with my brother.

Want to get great cybersecurity content delivered to your inbox? Sign up for our monthly newsletter, Tales from the Click! https://fractionalciso.com/newsletter/

Permission to reprint xkcd comic is generously provided under https://xkcd.com/license.html Thanks, xkcd.

Permission to use the photo of the axolotls is provided by the Creative Commons Attribution 3.0 license.

Announcing the First vCISO Cybersecurity Scholarship Winner!

November 10, 2020

The world gets a little more digital every day, opening more and more cyber vulnerabilities for bad guys to exploit. It’s time to train more good guys to beef up the cybersecurity defenses of individuals and organizations alike.

To that end, Fractional CISO is pleased to announce the vCISO Cybersecurity Scholarship. This scholarship will support and encourage the development of the next generation of cybersecurity professionals.

Fractional CISO’s vCISO Cybersecurity Scholarship makes $1,000 in annual scholarships available to all currently enrolled students pursuing cybersecurity degrees full-time in the United States.

To qualify, students must be at least 18 years old and studying cybersecurity as their major or postgraduate area of focus at any accredited undergraduate or graduate institution within the United States.

The success of these students is critical in meeting the rising tide of cyber crime. In 2019, The FBI’s Internet Crime Complaint Center (IC3) received over 1,200 incident reports per day, totaling billions of dollars in losses.

“We need many more cybersecurity professionals” said Rob Black, CISSP, managing principal and founder of Fractional CISO. “The skills gap in cybersecurity is a pressing concern for all of society. Through our scholarship fund, we hope to assist students in their cybersecurity study.”

Cybersecurity is a fast growing field with great career prospects for college graduates. The U.S. Bureau of Labor Statistics projects that the number of Information Security Analyst positions will grow 31% from 2019 to 2029 – and that’s only one position in the industry. There is also a quickly growing demand for security developers, network engineers, staff trainers, governance, risk, and compliance specialists.

Professor Massoud Amin, IEEE and ASME Fellow, professor of electrical & computer engineering (ECE), and a University Distinguished Teaching Professor at the University of Minnesota, sees cybersecurity as an important educational field. “The threats to our critical infrastructure are on the rise with evolving spectra of threats and more sophisticated adversaries. Here is the bottom line: The threats and risks are significant, and there is every reason to believe that they will continue to become more significant in the future,” said Amin, a pioneer in cyber physical security and Father of the Smart Grid.

“We need capable colleagues committed to learning and applying cybersecurity and science and technology to protect our critical assets, make our nation safer, more productive, and our economy more secure. I applaud Mr. Rob Black and Fractional CISO for sponsoring cybersecurity scholarships, to recognize and support students learning required skills to enter the cybersecurity industry,” said Professor Amin.

To be considered for the scholarship, students must submit a personal essay about their cybersecurity journey.

The scholarship consists of two annual contests, the first of which was awarded recently. Submission deadline for the second 2020 contest is December 31, with the winner to be notified by February 15, 2021.

Brennan Iannone, the first recipient of the $500 scholarship, is a senior at Arizona State University majoring in cybersecurity. He is a lifelong learner who wants to take on the challenges of the cybersecurity industry.

Brennan Iannone, first recipient of the vCISO Cybersecurity Scholarship.

“I want to help defend organizations and people from cyberattacks by protecting hardware, networks, servers and data from potential breaches,” said Iannone. “I am interested in analyzing structural risks, engaging in ethical hacking to test for weaknesses, and researching cyberattacks on a high level to identify patterns and develop solutions. I want to keep the bad guys from taking information of innocent people and using it to ruin their names, credit, and lives.”

After graduating in Spring 2021, Iannone hopes to take advantage of ASU’s 4+1 program to complete his Masters in Computer Science, with a focus on Cybersecurity, in just five years total.

“This scholarship will help by lowering the costs of college and the number of hours I will need to work throughout my studies,” said Iannone. “It will allow me to continue my academic achievements and hopefully give me time to work an internship and apply for the master’s degree program I will need.”

A $500 scholarship will also be awarded to the winner of the second contest.

Fractional CISO employees, partners, clients and their families are not eligible for the vCISO Cybersecurity Scholarship.

More information about the scholarship can be found here, and applications can be submitted through the form on this page.

Want to great cybersecurity content delivered to your inbox? Sign up for our monthly newsletter, Tales from the Click! https://fractionalciso.com/newsletter/

How to be a CSA STAR

November 5, 2020

Cybersecurity standards, certifications, and frameworks read like so much alphabet soup: AICPA TSP SOC 2, CSA STAR, ISO/IEC 27001, NIST SP 800-53. What does it all mean? Is my food trying to tell me something?

There are so many options with so many messy acronyms, it’s hard to keep track of them, remember what they stand for, and unpack the differences between each. It can be even harder still to decide which one to use for your organization.

It doesn’t help that researching them is a pain, since it’s difficult to figure out what’s what without sifting through pages upon pages of content.

A good place to start is the pleasingly pronounceable CSA STAR, because it has a little bit of everything a company might be looking for in a security framework all in one place. Even if it isn’t a perfect fit, it might help point an organization in the right direction.

First off, what is the CSA? The CSA, or Cloud Security Alliance, is a non-profit organization formed to define and raise awareness for the best practices to secure a cloud computing environment.

The CSA developed a cybersecurity framework called the Security Trust and Risk (STAR) Program. As this is put out by the Cloud Security Alliance, if your organization’s infrastructure is not primarily cloud-based, this is probably not the best framework to adopt. If it does apply, the STAR is worth looking into because it has different levels with options than an organization can choose to use as it best suits them. For example, the STAR has options that can be integrated into an organization’s existing frameworks and certifications, as well as options that can be used for free.

The STAR is an open certification framework that allows organizations to document their cloud security and privacy controls and best practices. Then the organization submits their controls and they are published to the CSA STAR Registry.

The STAR Registry is an easily accessible location where your current (and potential) customers can access your security documentation.

The CSA STAR for security is made of two components, a Cloud Controls Matrix (CCM) and a Consensus Assessments Initiative Questionnaire (CAIQ).

What is the CCM?

The Cloud Controls Matrix is the CSA’s cloud computing cybersecurity controls framework. The CCM has 133 controls which are categorized under 16 cloud technology domains. These controls map to many industry-accepted frameworks such as the National Institute of Standards and Technology’s Special Publication 800-53 (NIST SP 800-53), the International Organization for Standardization/International Electrotechnical Commission 27001 (ISO/IEC) 27001, the Payment Card Industry Data Security Standard (PCI DSS), the American Institute of Certified Public Accountants Trust Services Criteria (AICPA TSP), and others.

Snippet of the CCM | Copyright CSA, used with permission.

The CCM can be used as a tool for cloud implementation assessment and provides guidance on which security controls should be implemented where within the cloud supply chain.

What is the CAIQ?

CAIQ – it’s pronounced “cake,” in case you were wondering.

Snippet of the CAIQ | Copyright CSA

The CAIQ, or Consensus Assessments Initiative Questionnaire, is the CSA’s method for enabling organizations to document their security controls. It is a self-assessment questionnaire that asks yes/no questions about an organization’s compliance to the CCM. The completed CAIQ is the document that an organization submits to the STAR Registry.

Having your organization’s security practices in the STAR Registry could help reduce or eliminate the need for filling out potential customer security questionnaires.

There are 3 levels to the CSA STAR.

CSA STAR Level 1

Level 1 is a self assessment process as described above where an organization fills out the CAIQ and submits it to the STAR Registry. Customers can then look up any registered organization’s security practices. It is free for an organization to be added to the STAR Registry. To stay current, organizations must update the Self-Assessments annually.

The CSA also offers a Privacy related self assessment that allows organizations to demonstrate GDPR compliance in the same manner.

Within STAR Level 1 there is a continuous option. Similar to a SOC 2 Type II audit, the controls are evaluated over a period of time instead of a single point in time. With the Level 1 Continuous option an organization continually updates their CAIQ self assessment every 30 days as opposed to the typical annual requirement.

CSA STAR Level 2

The STAR Level 2 involves a third-party assessment. To achieve STAR Level 2 a third-party assessment firm uses an existing industry standard and incorporates the CSA CCM requirements into its third-party assessment. The CSA STAR Level 2 can be either an Attestation or a Certification depending on which industry standard is chosen. There are two industry standards that can be incorporated into the STAR Level 2, the AICPA SOC 2, and the ISO/IEC 2700:2013.

If an organization uses the AICPA Trust Service Principles to complete a SOC 2 audit with the CCM controls then the organization receives a STAR Level 2 Attestation. The Attestation is valid for a period of one year unless updated.

If an organization chooses to complete an assessment with the CCM and the ISO/IEC 27001:2013 standard requirements then they receive a STAR Level 2 Certification. The Level 2 Certification is valid for three years unless updated.

The ability to integrate the CSA STAR with a SOC 2 or ISO 27001 audit might be beneficial for companies because it allows them to leverage these existing industry assessment programs and make them specific to a cloud environment.

The CSA has a list of approved assessment firms organizations can use for a Level 2 Attestation or Certification. Because of the involvement of a third-party the Level 2 comes with the price tag associated with the chosen assessment firm.

As with STAR Level 1, the Level 2 also has a continuous option. For the Level 2 continuous option an organization adds a continuous CAIQ self assessment that must be updated every 30 days. When the assessment firm conducts a re-certification audit they include the CAIQ submissions into the audit for that period.

CSA STAR Level 3: STAR Continuous

Level 3 is the STAR Continuous. This option is still in the works, but will involve an automated process for continuously monitoring security controls. The automated assessment will use monitoring tools such as network and statistics monitoring, log analytics, and resource utilization. A third-party assessor will then evaluate the continuous monitoring security controls for a given period. Once the assessor assures the organizations continuous control security requirements are met the CSA will issue a STAR Level 3 Certificate.

Licensing

Many organizations misinterpret the licensing for the CCM and CAIQ. The STAR Program’s CCM and CAIQ are freely distributed publicly available resources. However, organizations should be cognisant of the terms and conditions for using the CSA’s resources. Organizations must share their CCM or CAIQ data with customers through the CSA’s publicly accessible STAR Registry. The data can be used internally without publishing but users must add the data to the public registry if they want to share it externally – with a customer, for example. Users are only permitted to privately share the data if they obtain a special license.

So is the CSA STAR right for your organization?

Pros:

If your organization has good security, the CSA STAR Registry will highlight your dedication to it.
Your organization’s security controls are in one easily accessible place for customers to see.
Can reduce or eliminate the amount of customer security questionnaires your organization receives and completes.
Can be integrated into a SOC 2 or ISO 27001 audit.

Cons:

If your organization has lackluster security, the CSA STAR Registry will make that visible.
The CSA Star is only applicable to cloud-based organizations and/or products.
The STAR Registry is transparent and freely accessible, which may not be suitable for organizations that don’t want their security controls to be visible to the general public.

Ultimately you will need to consider the needs of your organization and clients to decide which security framework will serve them best. Whether or not that’s the CSA STAR, I hope this makes one part of that alphabet soup a little easier to understand.

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Monthly Archives: November 2020