The following is an excerpt from Threat Forecasting by authors John Pirc, David DeSanto, Iain Davison, and Will Gragido and published by Syngress. This section from chapter one explores how to navigate today's threat landscape.
In spite of the threats posed by cyber-attacks and data breaches, there are few federal cyber security regulations in place. Most regulations that exist are industry or government specific (at the state or federal level). Today's regulations mostly avoid prescribing specific cyber security measures that should be deployed but instead set forth a standard of a "reasonable" level of security. As such it is best to consider regulatory standards as minimum requirements and build up your security infrastructure accordingly. The following discussion of cyber security regulations is not exhaustive, however is, instead, an overview of selected items we feel currently have the most impact on today's security landscape, standards and best practices. Please thoroughly familiarize yourself with the federal, state and industry-specific regulations impacting your organization.
Industry Specific Guidelines
Although there are relatively few federal cyber security regulations, both the healthcare and the financial sectors are notable because of the established regulations in these industries. If your organization falls into either of these sectors they will be subject to the specified regulatory requirements. Please note that both healthcare and finance are considered critical infrastructures and as such will rely heavily on the National Institute of Standards and Technology (NIST) framework discussed in the next section.
The healthcare industry and its associated institutions are primarily regulated by the guidelines defined in the Health Insurance Portability and Accountability Act (HIPAA) that was passed in 1996. Prior to HIPAA being enacted, there was basically no generally accepted security standard nor was there any general requirements for the protection of health information. It is comprised of multiple sections, or rules, that must be followed in order to remain in compliance. The rule that we would like to discuss is the Security Rule, as it provides the governance with respect to technology and the protection of electronic protected health information (e-PHI). According to the HIPAA Security Rule Summary, the Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must:
- ensure the confidentiality, integrity, and availability of all e-PHI created, received, maintained or transmitted
- identify and protect against reasonably anticipated threats to the security or integrity of protected information
- protect against reasonably anticipated, impermissible uses or disclosures of e-PHI
- ensure compliance to the HIPAA Security Rule of all employees.
The Security Rule defines "confidentiality" as meaning that e-PHI is not to be made available or disclosed to anyone unauthorized to access it and it follows the definition of "confidentiality" as outlined in the HIPAA Privacy Rule. The Security Rule also defines several other key areas that must be considered while operating within the healthcare industry including:
- Risk Analysis and Management -- Performing regular risk analysis as part of the defined security management process
- Administrative Safeguards -- Designating an official security officer, putting in place the proper security management process to oversee items like risk analysis and performing regular workforce training
- Physical Safeguards -- Securing facility access as well as access to workstations and devices that may have access to e-PHI
- Technical Safeguards -- Having proper access control, auditability, integrity controls and secure transmissions when accessing e-PHI
- Policies and Procedures and Documentation Requirement -- Adopting reasonable and appropriate policies to comply with all requirements of the Security Rule as well as maintaining a defined document retention policy.
To dive more deeply into HIPAA, please refer to the Health Information Privacy section of the U.S. Department of Health & Human Services website (http://www.hhs.gov/hipaa).
Author: John Pirc, David DeSanto, Iain Davison, and Will Gragido
Learn more about Threat Forecasting from publisher Syngress
At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles
The financial industry is subject to a number of different regulatory requirements. A patchwork quilt of regulation exists because the regulatory environment has evolved over several decades. This patchwork nature of legislation can make navigating the regulatory environment challenging for financial institutions. New legislation often not only sets forth added regulatory requirements, but also amends and updates previous legislation and regulatory requirements. The Center for Strategic and International Studies has released a report that covers the evolution of the financial industry regulatory environment in depth; we recommend this report for those interested in a more detailed picture than the one provided in this chapter.
Most of the regulations we will reference in this chapter do not explicitly spell out cyber security requirements. Instead these regulations require organizations to implement "information security systems" for various purposes (e.g., consumer data protection, identity theft protection and reporting requirements). As legislation has been updated and amended over the years, the meaning of "information security systems" has evolved in an attempt to address the needs of today's cyber security environment. Table 1.1 below provides a summary of some legislation pertinent to our discussion; it is not meant to be an exhaustive list.
In part because of the lack of specificity in many regulations, financial institutions often turn to the guidance, standards and frameworks provided by outside organizations. Regulatory authorities have found that 90% of financial institutions examined used one or more of these frameworks or standards. We will discuss two of these (PCI DSS and NIST) in the next section, Best Practices, Standards and Framework.
Cyber Security Information Sharing Legislation: Watch this Space
Of course, as the cyber security landscape continues to change, so too will the regulatory landscape. For example, the Cybersecurity Information Sharing Act (CISA) is a bill newly enacted at the time of this writing. The CISA seeks to facilitate information sharing between the government and private companies: "In essence, the law allows companies to directly share information with the Department of Defense (DoD) (including the National Security Agency (NSA)) without fear of being sued." Time is needed before the impact of information sharing legislation can be assessed, but individuals within the information technology and information security community should keep abreast of this and other legislative efforts as they emerge.
Best practices, standards, and frameworks
Because the regulations that do exist mostly avoid prescribing specific cyber security measures, organizations have turned to security standards and frameworks. These provide templates upon which organizations can model their cyber security programs. These standards and frameworks help an organization build a solid foundation of cyber security practices. Following these guidelines will help an organization meet the "reasonable" standard set forth in the few existing federal guidelines. However, to effectively engage in threat forecasting, we believe organizations treat these guidelines as just that. They provide guidance, but you often must add to your cyber security infrastructure and practices in order to reap the benefits of threat forecasting.
Read an excerpt
Download the PDF of chapter one in full to learn more!
First published in May 2009, the Payment Card Industry Data Security Standards (PCI DSS) establishes guidelines for "all merchants and organizations that store, process or transmit" payment card data. Because of the prevalent use of payment cards, these standards reach industries far beyond the financial sector. Although not mandated by federal regulations, compliance with PCI DSS is nonetheless important. Mandatory compliance is established and enforced by major payment card brands. The PCI DSS establishes data security standards for merchants and card processors (see Table 1.2) and outlines an ongoing process of PCI DSS compliance.
If an organization accepts or processes payment cards, it must comply with PCI DSS. The PCI security standards establish reasonable goals for organizations dealing with payment cards and actions required to meet those goals. These goals and requirements are set forth as common sense steps an organization must
take in order to establish a reasonable level of security. As previously noted, these requirements are a starting point and should be viewed as necessary but not sufficient in organizations striving to build a robust security environment. Table 1.2 summarizes the established goals and requirements.
In order to maintain PCI DSS compliance, the Standards require an ongoing three step process and provide Independent Qualified Security Assessors to monitor and validate compliance. Although the PCI DSS sets overarching industry standards, each major payment card brand maintains its own compliance program. The three step process established by the PCI DSS is in line with cyber security best practices and requires organizations to take steps to assess, remediate and report on their card processing cyber security environments on an ongoing basis (Fig. 1.2). Affected organizations must assess their payment card transaction environments, examining cyber security infrastructure, policies and procedure for vulnerabilities. As identified, steps must be taken to remediate vulnerabilities. Necessary reports must then be compiled to document vulnerabilities identified and steps taken to remediate. As noted, these steps are ongoing, and organizations are expected to incorporate these three steps into their cyber security and IT practices regularly.
NIST Cyber Security Framework
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was created specifically to strengthen protection for companies classified as critical infrastructure, however the CSF's sphere of influence has quickly expanded. Organizations beyond those classified as critical infrastructure have also been looking to the CSF for guidance. Although compliance with the CSF standards is voluntary, it has emerged as the standard against which organizations are judged after a data breach occurs.
The CSF is organized into five core functions: Identify, Protect, Detect, Respond, and Recover. These core functions are then further branched into several tiers "which describe the level of sophistication and rigor an organization employs in applying its cyber security practices."9 Much has been written about the CSF, its core functions and organizational impacts, so we won't dive too deeply into the framework. Please familiarize yourself with these standards as they apply to your organization. When you begin the process of implementing threat forecasting practices in your organization (explained in Chapter 9), the NIST CSF may be a useful starting point when implementing phase one and evaluating your organization's current cyber security practices, policies and procedures.
Defense in Depth
We strongly believe that defense in depth is the correct deployment strategy for any organization. While it may be more convenient to have a single appliance solution from a deployment standpoint, no single appliance is capable of successfully facing all security challenges. Furthermore, we recommend a blended security vendor environment within your infrastructure. Deploying a single vendor environment, even if it is multiple products from that security vendor, only allows you to benefit from one research team. Deploying a blended vendor environment gives you access to multiple research teams who may have access to different attack vectors (i.e., different research data) and thus provides better security coverage. In our book Blackhatonomics, we discuss defense in depth in terms of tier 1 and tier 2 technologies. Especially in large corporations, these are the basic building blocks, in the form of tools and technologies, for building a security infrastructure.
Tier 1 Security Technologies
According to current best practices and regulations, the following tier 1 technologies are considered "need to have" when building out a reasonably secure infrastructure:
- Firewall or next-generation firewall
- Desktop anti-virus
- Secure web gateway
- Messaging security
- Intrusion detection/prevention systems
- Encryption (in transit or at rest)
- Security information event management.
Tier 2 Security Technologies
Tier 2 security technologies are often considered "nice to have" when building out a security infrastructure. These technologies are used by organizations with more sophisticated security infrastructures. They are also often purchased by organizations in the aftermath of a major security data breach. Building an infrastructure that combines tier 1 and tier 2 security technologies provides the most robust risk protection. Tier 2 technologies include:
- Advanced threat detection
- Network and desktop forensics
- Network and desktop data leakage protection
- Behavioral-based analysis
- Security/threat intelligence feeds
- Threat forecasting and modeling.
Update and Evaluate Security Products and Technologies
Do not focus myopically on new security vulnerabilities. IT and security teams can display very reactionary behavior when it comes to new vulnerabilities and it is our opinion that you should understand your infrastructure and its potential weaknesses as opposed to reacting to every new announcement (though note we are not saying it is not important to stay abreast of new threats). The Verizon 2015 Data Breach Investigations Report (DBIR) found that when attacks exploit a known vulnerability, "99.9% of the exploited vulnerabilities had been compromised more than a year after the associated common vulnerabilities and exposures (CVE) was published." This highlights the need for organizations to develop thoughtful policies and procedures for installing patches and updates on existing infrastructure (both endpoints and network devices). Organizations that do not keep abreast of release notes and update devices accordingly are at greater risk of a data breach.
Cyber Security and the Human Factor
No discussion of security best practices can be considered complete without factoring in employee behavior. From phishing scams to social engineering, your employees are likely your largest security vulnerability. We believe every employee should be security-minded. Although turning your employees from security liabilities to champions requires organizational effort, a thorough (and engaging) training effort can pay dividends. The Target data breach is believed to be associated with the successful social engineering of one of Target's suppliers. For more information on this data breach, please refer to Chapter 9 (Connecting the Dots).
About the author:
John Pirc has more than 19 years of experience in security R&D, worldwide security product management, marketing, testing, forensics, consulting, and critical infrastructure architecting and deployment. Additionally, he is an advisor to HP’s CISO on Cyber Security and lectured at the US Naval Post Graduate School. Mr. Pirc’s extensive expertise in the security field stems from past work experience with the US Intelligence Community, as Chief Technology Officer at CSG LTD, Product Manager at Cisco, Product Line Executive for all security products at IBM Internet Security Systems, Director at McAfee's Network Defense Business Unit, Director of Product Management at HP Enterprise Security Products, Chief Technology Officer at NSS Labs, Co-Founder and Chief Strategy Officer at Bricata, LLC and most recently as Director of Security Solutions for Forsythe Technology. In addition to a BBA from the University of Texas, he also holds the NSA-IAM and CEH certifications. Mr. Pirc has been named security thought leader from SANS Institute, speaks at top-tier security conferences worldwide and has been published in Time Magazine, Bloomberg, CNN and other major media outlets.
David DeSanto is a network security professional with more than 15 years of security research, security testing, software development and product strategy experience. He is the Director, Products & Threat Research for Spirent Communications where he drives product strategy for all Application Security testing solutions. Mr. DeSanto also manages the security engineering team responsible for the research, development and validation of new security attacks as well as development of all engine components that support them. Prior to Spirent, his career has included roles at top security research and testing labs where his expertise guided these organizations in creating industry-leading security tests and solutions for enterprises, services providers and network equipment vendors. Mr. DeSanto holds a Master of Science in Cybersecurity from New York University School of Engineering and Bachelor of Science in Computer Science from Millersville University. He is a frequent speaker at major international conferences on topics including threat intelligence, cloud security, GNSS security issues and the impacts of SSL decryption on today’s next-generation security products.
Iain Davison has more than 16 years of security experience with many skills ranging from penetration testing to creating and building intrusion prevention devices; this includes knowledge of programming languages, scripting and compiling software. He is currently Security Engineer at Exabeam. Previously, Mr. Davison performed network architecture, hardware design, software design and implementation. Now that he is on the Exabeam team, he may be willing to write yet another book based around UBA and all the things it can it can do in the enterprise.
Will Gragido possesses more than 21 years of information security experience. A former United States Marine, he began his career in the data communications information security and intelligence communities. After USMC, Mr. Gragido took on several information security consultancy roles performing and leading red teaming, penetration testing, incident response, security assessments, ethical hacking, malware analysis and risk management program development. He has worked with a variety of industry leading research organizations including International Network Services, Internet Security Systems/IBM Internet Security Systems X-Force, Damballa, Cassandra Security, HP DVLabs, RSA NetWitness, and now Digital Shadows. Mr. Gragido holds a CISSP and has accreditations with the National Security Agency's Information Security Assessment Methodology (IAM) and Information Security Evaluation Methodology (IEM). He is a graduate of DePaul University and is currently in graduate school. An internationally sought-after speaker, he is co-author of Elsevier’s Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats and Blackhatonomics: An Inside Look At The Economics of Cybercrime.