Notes from the Field of Information Security

Notes from the Field - CIS Control 18 - Penetration Testing

2024-03-02T15:15:00.002-05:00

While working with clients I will review their latest penetration test report. Penetration tests are a great way to obtain independent and unfiltered information about your organization’s vulnerabilities The tests are usually performed by an outside information security firm, giving you an outsider’s view of what’s going on at your company. That view is valuable as outsiders provide another perspective.

The first thing I look to see is if it’s a real pen test or a typical vulnerability scan. Unfortunately,

Circles in the Sand at Bandon Beach, Oregon

clients often pay for a pen test and receive a vulnerability scan report that they could have produced themselves without having paid tens of thousands of dollars.

A true pen test report will include the scope of the test. The report lists the tools and procedures performed. The pen testers will attempt manual exploitations of vulnerabilities that were identified by scans. Tests should also include phishing and spear-phishing attempts, other social engineering, and physical penetration attempts. Unlike vulnerability scans, which may only take a few hours, pen tests may take several days or weeks, depending on the size and complexity of the organization.

In this post I discuss Center for Internet Security Control 18 - Penetration Testing. This is the 18th and final post in a series on the Center for Internet Security Controls. The document consists of 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. The document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with. I recommend it to all my clients for information security guidance.

The Overview for Control 18 - Penetration Testing is - Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

Why is this Control Critical? No company is completely secure, even organizations with mature information security policies, tools, procedures, and well trained staff. Existing technologies continuously change. New technologies are released daily. Systems are very complex. New vulnerabilities are discovered every day. Attackers leverage these factors to bypass your company's security controls and trick your employees into giving up their credentials.

It is imperative that your organization periodically undergo penetration tests by qualified independent internal or external parties. Pen tests can identify gaps in your company’s security tools, configurations or staff training. Use the identified gaps to make adjustments to your environment and provide the additional training needed to improve your organization’s security posture.

CIS Control 18 has 5 safeguards in support of incident response. They are:

18.1 Establish and Maintain a Penetration Testing Program - this one is pretty clear in which your organization creates its pen test program, defining the scope of testing. That can include specific networks, web applications, APIs, hosted services, social engineering, physical security.

18.2 Perform Periodic External Penetration Tests - perform external pen tests at least annually. I recommend pen tests at least twice a year. People often say their environments are static and pen tests more than once a year are unnecessary. But are the environments truly static? Organizations install security updates monthly and deploy application code updates frequently. They also change configurations, sometimes inadvertently. Pen tests will help identify vulnerabilities not detected by regular vulnerability scans.

18.3 Remediate Penetration Test Findings - this one is also pretty clear. Remediate the findings by updating vulnerable code, installing security patches, correcting configuration issues, better physical security controls, and providing better training for individuals who fell for social engineering efforts. Prioritize remediation according to the severity of the findings. For small environments, there may be a handful of findings that can be resolved quickly. For large environments with many applications and hundreds or thousands of systems, remediation is more involved and time consuming.

18.4 Validate Security Measures - this involves tasks such as reviewing security controls and tools, WAF rules, and firewall rules. Determine if rules need to be more rigorous or additional tools added to protect your organization.

18.5 Perform Periodic Internal Penetration Tests - Similar to the frequency with performing external pen tests, do the same with internal pen tests. Again, you may likely meet your security framework requirements by performing internal pen tests annually. But you want to do them at least twice a year to identify code issues, vulnerabilities, and misconfigurations.

The CIS Control document states that internal and external pen tests should be performed by a qualified party. What is a qualified party? Do pen tests need to be performed by an external security firm? Pen tests do not need to be done by an external company. But the tests should be performed by an organizationally independent team.

Larger organizations often have internal security internal departments with pen test teams that are independent of the departments they test. Smaller organizations may need to engage a security firm to perform the testing. In any event, the person or team performing the testing should not be the same individual or team responsible for managing the systems. The pen test reports need to be delivered to the senior manager as well as the team that manages the systems as well as to the team. It’s important for senior management to be aware of the risks to the organization identified in the report and provide appropriate oversight. I’ve seen cases where the pen tests are only delivered to the individuals that manage the systems. Management is not information about the threats the company faces.

The CIS Controls document lists as a resource the The PCI Security Standards Council. It discusses pen test methodology, scope, reports, case studies, and discusses the qualifications for pen testers in its Penetration Test Guidance publications. The document also lists as an additional resource OSSTMM 3 - the Open Source Security Testing Methodology Manual.

Penetration testing, combined with the other CIS Controls will help your organization better protect your company and customer data.

Notes from the Field - CIS Control 17 - Incident Response Management

2024-01-14T16:48:00.006-05:00

The client I was working with had a SaaS application hosted in AWS. When we discussed how they would respond if their data were compromised, they said that wasn’t a serious concern as the data the company collected was of little value. Nobody would want it. It didn’t have personally identifiable information (PII), such as social security numbers, license numbers or medical information. When I raised the prospect of a ransomware attack and the damage it could do to their operations and reputation, they began to realize the potential consequences of their lack of preparation. Most companies understand that they could be the target of an attack. Some don’t. But all need incident response processes in place for when an incident occurs.

Castillo San Felipe del Morro, San Juan, Puerto Rico

In this post I discuss the Center for Internet Security Control 17 - Incident Response Management. The Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. The document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with. I recommend it to all my clients for information security guidance.

The Overview for Control 17 is - Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Why is this Control Critical? Companies often don't have incident response and recovery capabilities even when they have detection and prevention controls in place. If such a company does have a compromise or other incident, they may not have people with the appropriate skills and experience to contain the incident and keep it from spreading. Without a full understanding of such attacks, incident responders will be in a perpetual state of being a step behind attackers. Even with a good plan and people, it's important that that regular training be provided to staff that will respond to incidents.

Control 17 has 9 safeguards in support of incident response. They are:

17.1 Designate Personnel to Manage Incident Handling

17.2 Establish and Maintain Contact Information for Reporting Security Incidents

17.3 Establish and Maintain an Enterprise Process for Reporting Incidents

17.4 Establish and Maintain an Incident Response Process

17.5 Assign Key Role and Responsibilities

17.6 Define Mechanisms for Communicating During Incident Response

17.7 Conduct Routine Incident Response Exercises

17.8 Conduct Post-Incident Reviews

17.9 Establish and Maintain Security Incident Thresholds

Let's take a look at a few of these starting with 17.1 Designate Personnel to Manage Incident Handling. Smaller and mid-size companies I've worked with often don't have a dedicated Security Operations Center (SOC). Incident response falls to the DevOps or IT teams. But the roles are not formally assigned. The individuals who must respond often don't know they are responsible until there is an incident. Their regular duties don't include responding to incidents. When one happens they are unprepared to take appropriate action.

17.4 Establish and Maintain an Incident Response Process and 17.5 Assign Key Roles and Responsibilities - you can combine these two safeguards and potentially the first five safeguards. This is where you document an incident response policy and process. You identify the specific roles and responsibilities for responding to incidents. Establish processes for how individuals will report incidents and the activities to respond.

17.7 Conduct Routine Incident Response Exercises is key for all companies, particularly those without a SOC or other personnel who routinely respond to incidents. It's important for teams to engage in monthly or quarterly training to run through attack scenarios and how they would respond. Each team member would become more and more familiar with their role in incident response processes and what action to take. While not a replacement for actual experience, the individuals involved will understand what to do rather than try to figure it out during an actual incident.

17.8 Conduct Post-Incident Reviews is where teams use lessons learned from an incident to determine how to improve their response procedures in advance of the next incident. What could they have done differently or would the response have been better if the tasks were performed in a different order? Did any steps slow down the response process? What controls can they put in place now to prevent or mitigate this same type of attack from occurring in the future? What tools do they need to better respond? Agree among the team on next steps going forward, such as updating the incident response checklist or playbook.

CIS Control 17 is a good way to get started with incident response management. In the next post, I will cover the final control, Center for Internet Security Control 18 - Penetration Testing.

Notes from the Field - CIS Control 16 - Application Software Security

2023-12-03T13:01:00.002-05:00

Working recently with a small Software as a Services (SaaS) company, it quickly became clear they didn't have much in place by way of security. They didn't have a documented policy. They didn't do code reviews. New code releases were deployed on the fly. They didn't do secure scans of code or the web application. They didn't have a WAF. The application database was hosted on the same server as the application server. There were a handful of developers who had many years of experience. They were supposedly knowledgeable in software development best practices and didn't need what they considered rigid and unnecessary security controls.

That's when I discussed some basics around application security from CIS Control 16. The Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. The document contains high level information that executives can understand and also has specific details about tools and procedures that technical staff to run with. I recommend it to all my clients for information security guidance.

Warning Sign at Colyer Lake in Central PA

The Overview for Control 16 - Application Software Security is - Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Why is this control critical? Attackers can use a company's own public-facing applications to bypass network security tools to compromise company and customer data. Attackers can also use applications to steal user credentials and install malware on user systems. Today's applications are complex and are designed to be accessible from many different platforms - web browsers, mobiles apps, API calls. Development cycles are much more frequent than they used to be, as much as multiple times per day or week compared to a release once or twice a year. Additionally, developers use many open-source libraries that need to be updated. These elements make application security very challenging. That makes it imperative to implement and maintain proper security controls in support of in-house developed and off-the-shelf applications.

Control 16 includes 14 sub-controls or safeguards. They are:

16.1 Establish and Maintain a Secure Application Development Process
16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3 Perform Root Cause Analysis on Security Vulnerabilities Applications
16.4 Establish and Manage an Inventory of Third-Party Software Components
16.5 Use Up-to-Date and Trusted Third-Party Software Components
16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
16.8 Separate Production and Non-Production Systems
16.9 Train Developers in Application Security Concepts and Secure Coding
16.10 Train Developers in Application Security Concepts and Secure Coding
16.11 Leverage Vetted Modules or Services for Application Security Components
16.12 Implement Code-Level Security Checks
16.13 Conduct Application Penetration Testing
16.14 Conduct Threat Modeling

Let's discuss some of the above controls. The very first one, Control 16.1 - Establish and Maintain a Secure Application Development Process lays the groundwork for the entire control and the safeguards that follow it. Document a policy and implement procedures at your organization that establishes development requirements - such as restricting access to code repositories; code reviews by a peer or a team lead before code advances in the code pipeline; DAST scans of code and libraries to identify vulnerabilities; SAST scans of applications. QA testing and user acceptance testing should be defined. The document should also state how new versions of code are released. It is an automated process after code has passed a series of manual and automated testing or is there a team that must sign off on release of the new version.

The security standard the company follows should also be listed, such as OWASP Top 10 with at least annual refresher training for developers on common application security concerns.

Control 16.10 - Apply Secure Design Principles in Application Architectures is so important to get right as it's difficult to correct if you get it wrong. It's important to design your application and supporting infrastructure to minimize the attack surface. Some companies put their servers and databases directly on the internet facing the public. The companies I've worked with that do have good controls in place generally use Cloudflare's DDOS and WAF protection to filter all traffic before it reaches AWS load balancers. This protects their systems, putting web, application and other servers on private IPs, not directly accessible to the internet. The company also benefits by freeing up resources instead of implementing complex and expensive security controls that they can obtain from Cloudflare or other vendors.

For Control 16.12 - Implement Code Level Security Checks - Companies with good development practices use code analysis tools such as BurpSuite, Brakeman, Qualys, and SonarQube to name a few. There are many different tools for specific programming languages. Some of these can be used for DAST scanning of the actual application. In any event, it's necessary to use such tools to find vulnerabilities in your own code, the libraries your code is built upon, and at the application level.

Control 16.13 - Conduct Application Penetration Testing - helps identify vulnerabilities in your applications that could not be identified using automated tools. If your organization does not have internal resources that can perform a pen test, engage a security firm to do so. First make sure you know in advance what you will receive from the firm as to what their pen test entails. Clients unfamiliar with pen tests have shown me reports that were basically vulnerability scans with some narrative details about the scope added. No actual manual testing by a skilled offensive security professional was performed. And they paid a lot of money for a vulnerability scan.

Ask to see a sample report before deciding on a company. If they decline to provide one, that's a red flag and you should move on until you find a pen test firm you are confident will conduct a detailed scan. A thorough pen test will include a discussion with your team and the pen testers about your environment. The report should include actionable recommendations to better secure your application and environment.

Implementing the guidance from CIS Control 16 will go a long way to protecting your company's in-house and third-party applications as well as your company and customer data.

In the next post, I discuss CIS Control 17 - Incident Response Management.

Notes from the Field - CIS Control 15 - Service Provider Management

2023-10-14T15:35:00.007-04:00

The client I was conducting a gap analysis for had an incredibly detailed Service Provider Management Policy. It required the company compliance team to conduct due diligence on all prospective service providers, including a risk analysis of each. The policy required the compliance team to review the prospective vendor's SOC 2 audit report, research the vendor's financial stability, and reputation. The compliance team was to conduct annual reviews of each vendor that included many of the same steps. Great stuff.

Fraley's Robot Repair Shop, Pittsburgh, PA Airport

When I asked them to provide evidence of activity in support of due diligence of their newly added service providers from the past year and evidence of the reviews of current vendors, they provided a couple of emails listing questions about the service and references to a completed demo of the services. They didn't have the completed risk analyses or any documentation that they performed reviews of the audit reports or any of the work required by their policy and by industry standards. Why? They found a template policy on the internet and used that as their own. They didn't actually do much in support of service provider management or think it was important. Like many clients, they thought having a policy was sufficient.

I referred them to the Center for Internet Security Control 15 - Service Provider Management. The Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. The free but valuable document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with. I recommend it to all of my clients as a starting point for information security guidance.

We discussed some of the activities they could do in support of Service Provider Management so they have assurance they have done their due diligence and can be confident working with the vendor.

The overview for Control 15 is - Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

There are 7 sub-controls or safeguards for Control 15. They are:

15.1 Establish and Maintain an Inventory of Service Providers

15.2 Establish and Maintain a Service Provider Management Policy

15.3 Classify Service Providers

15.4. Ensure Service Provider Contracts Include Security Requirements

15.5. Assess Service Providers

15.6. Monitor Service Providers

15.7 Securely Decommission Service Providers

Why is this control critical? Companies often rely on service providers for many services, such as data center providers, cloud service providers, third-parties to manage technology and security solutions. There have been many cases where service providers had been breached or experienced service outages that impacted companies. It's important that your company has practices in place to vet vendors and review them annually.

I recommend to clients that don't have anything in place to begin with a list

Let's take a look at some of the safeguards:

15.1 - Establish and Maintain an Inventory of Service Providers is the logical place to start. Just like CIS Controls 1 and 2 for system and software inventories, it's necessary to know what you have in order to protect it. It's the same with service providers. Often the clients I work with don't have a list of them. It may be a decentralized process in which the department that needs the service is responsible for the due diligence and review activities. No one else in the company is aware the provider is used. The easiest way to start is with a spreadsheet listing each vendor and the service they provide. Include on the list what data they store, process or transmit on your company's behalf.

15.2 Establish and Maintain a Service Provider Management Policy is pretty straight forward. For many areas of information security, a policy is required that outlines what the mandate is, such as maintaining an inventory of service providers in this case, conducting due diligence on new vendors, performing annual reviews of them. The policy will also outline the activities in support of the policy - who is responsible for the activities, annual policy reviews and so on.

15.5. Assess Service Providers is basically conducting due diligence of service providers before engaging them for services. This entails reviewing their SOC 2 audit report or Attestation of Compliance for PCI-DSS to understand their security controls. For large companies, such as AWS and AZure, that's as much as you might be able to do as they are not going to allow your company to audit them directly. Nor would it be practical.

For smaller companies that have not undergone SOC 2 or other audits, you can request they complete a due diligence questionnaire (DDQ) that addresses their security controls. While they answer your questions about security, they are not evidence that the controls are actually in place and operating effectively. Additionally, you may request evidence, such as completed vulnerability scans, pen tests, reports on patching of systems, and their information security policy.

15.7 Securely Decommission Service Providers is a crucial process for protecting your company. Service Providers often store critical data, such as PII, ePHI or credit card holder data. What happens to your data after you stop using a provider? Is it stored by the service provider or securely deleted? The clients I work with that have a Software as a Service platform often store their customer data forever, unless the customer specifically requests their data to be deleted. Some don't even have methods to purge their databases of individual customers even if they request it.

You want to make sure and see evidence that your service providers have deleted all of your sensitive data after you stop using their service. There is no good reason for them to maintain it. If the vendor is compromised years later, the attackers have access to your sensitive data when it never should have been with the former service provider in the first place.

Additionally, you want to revoke service provider access to your network at the end of a contract. Often companies engage managed service providers with accounts on their networks to manage systems. Remember to disable and delete their accounts after you stop using their services. You don't want a rogue employee of the service provider or an automated scheduled task to impact your systems.

For more information on Service Provider Management safeguards to protect your company networks and data, see the Center for Internet Security Controls Document.

In the next post I'll discuss Center for Internet Security Control 16 - Application Software Security.

Notes from the Field - CIS Control 14 - Security Awareness and Skills Training

2023-07-15T16:38:00.001-04:00

Security awareness training is one of the areas in which I see companies doing either very well or they don't do at all. It's unfortunate for the companies that don't do much as a little training goes a very long way. It's an investment that more than pays for itself. The more your employees are trained against potential threats and attacks, the safer your company and customer data. The less trained they are, the more your company is at risk to attack and compromise. In this post I discuss what I see as an information security auditor working with the clients regarding the Center for Internet Security Control 14 - Security Awareness and Skill Training.

The Arch in Summer, the Arboretum at Penn State

The Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. The free but valuable document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with. I recommend it to all of my clients for information security guidance.

The Overview for Control 14 - Security Awareness and Skills Training is - Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Control 14 includes 9 sub-controls or safeguards. They are:

14.1 Establish and Maintain a Security Awareness Program

14.2 Train Workforce Members to Recognize Social Engineering Attacks

14.3 Train Workforce Members on Authentication Best Practices

14.4 Train Workforce on Data Handling Best Practices

14.5 Train Workforce Members on Causes of Unintentional Data Exposure

14.6 Train Workforce Members on Recognizing and Reporting Security Incidents

14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

14.8 Train Workforce on Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

14.9 Conduct Role-Specific Awareness and Skills Training.

Why is this control critical? This control addresses the human security vulnerability, perhaps the biggest vulnerability of all. All of the technical, administrative, and physical controls in the world can easily be undermined if your employees allow unauthorized people into facilities, click on links in phishing emails, open malicious attachments or visit fraudulent websites and enter their company user credentials. Such actions could allow an attacker to gain a foothold in your environment to install ransomware or exfiltrate company and customer data. Security awareness training will provide protections against such threats. Let's take a look at some of the safeguards and how companies accomplish them.

Safeguard 14.1 - Establishing and Maintaining a Security Awareness Program can be done by signing up your organization with an online training platform or using an existing service that your Human Resources Information System SaaS platform offers. As part of an employee's onboarding processes, new employees should be required to take the awareness training within their first week of employment to make sure the training is successfully completed. Additional, shorter training modules and phishing tests are recommended to be completed each month to continuously strengthen the information security awareness muscle. Annual refresher training should also be required for all employees. The paid services offer reporting to show who has successfully completed the training. Human Resources staff follow up with individuals who do not complete the training as they do with other types of required training.

Companies such as KnowBe4 and Proofpoint, are two popular services, among the many training tools available. Some companies choose to develop their own internal information security awareness training. It's usually made up of a PowerPoint presentation put together by IT and IT security staff, who go over the materials with company employees. Both types of training cover the basics, such as sharing their account passwords, using multi-factor authentication when possible, not clicking on attachments or links from unfamiliar senders, not submitting credentials or financial information to bogus websites, not falling victim to social engineering attacks, and so on. Quizzes are often used to test the knowledge of participants.

Safeguard 14.5 - Train Workforce Members on Causes of Unintentional Data Exposure is critical to protect company and customer data, as well as protect companies from the legal and financial liability as a result of such exposures. Well trained employees are taught not to share sensitive data with people who do not have a need or right to see it. They are also taught how to properly share information with those who do have a need or right to the data. The data leaks my clients have experienced are often due to lack of knowledge. Scenarios include an employee accidentally sending a patient or client the data of a different patient or client. For healthcare companies subject to HIPAA requirements, such a mistake can result in expensive fines. There have also been cases where companies I've worked with have processes in place to share with partners customer data after the data has been anonymized to protect the identities of customers. On occasion the automated anonymization process fails but the data is still shared as the companies don't have proper verification processes in place. There are many other methods where data is unintentionally exposed. In all cases, proper training is needed as a baseline to protect the data and the company.

Safeguard 14.6 - Train Workforce Members on Recognizing and Reporting Security Incidents is supremely important because people who are trained properly, know what to do. They report an incident to the people who can take appropriate action and contain the incident. People who are not trained, often are afraid to report an incident as they think they may get in trouble for having done something wrong. As a result of doing nothing, a containable incident is not contained and causes a lot of damage.

Safeguard 14.9 - Conduct Role-Specific Awareness and Skills Training is often overlooked even in companies that have basic security awareness training. It's important that software developers receive annual training on secure coding practices. This helps them to stay up to date on the latest code vulnerabilities and practices to avoid them. IT and IT security staff should also receive annual training for responding to incidents and for protecting the technologies they support. Staff in other areas, such as senior executives and finance should receive more advanced training to prevent them from succumbing to bogus text messages and phishing emails, especially those regarding wiring money to the fraudulent recipients.

Whether you choose an online training platform or offer in-house training, your organization must provide company employees with security awareness training. It is the most effective method for protecting company and customer data. The Center for Internet Security Controls can help.

In the next post I'll discuss, Center for Internet Security Control 15 - Service Provider Management.

Notes from the Field - CIS Control 13 - Network Monitoring and Defense

2023-04-30T19:46:00.004-04:00

“How would you know if your network or systems have been compromised?” That’s the question I often ask clients when discussing their networking monitoring and defense tools. An IT manager of a small company I worked with recently was honest and said he wasn’t sure. He was so busy putting out different fires every day, he didn’t know where to begin. The IT team consisted of four people. And he didn’t have much of a budget to implement expensive tools and create a Security Operations Center (SOC), like large companies have. That was a good opportunity to introduce him to the Center for Internet Security Controls, specifically Control 13 - Network Monitoring and Defense.

The Overlook Pavillion at the Arboretum at Penn State

Many companies I audit have little to no network monitoring tools and processes in place
while others have advanced tools in place but no processes to leverage the tools. Security alerts go uninvestigated. Companies that are successful in this area have both tools to identify threats and a person or a team of people to review security alerts and investigate.

The overview for Control 13 - Network Monitoring and Defense is - operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

Control 13 includes 11 safeguards or sub-controls:

13.1 Centralize Security Event Alerting
13.2 Deploy a Host-Based Intrusion Detection Solution
13.3 Deploy a Network Intrusion Detection Solution
13.4 Perform Traffic Filtering Between Network Segments
13.5 Manage Access Control for Remote Assets Devices
13.6 Collect Network Traffic Flow Logs
13.7 Deploy a Host-Based Intrusion Prevention Solution
13.8 Deploy a Network Intrusion Prevention Solution
13.9 Deploy Port-Level Access Control
13.10 Perform Application Layer Filtering
13.11 Tune Security Event Alerting Thresholds

Why is this control critical? No network is 100% secure, no matter how well architectured. Even with appropriately implemented security controls, misconfigurations or lack of knowledge of security goals can cause gaps in the tools and security.

Skilled security and operations staff must monitor alerting tools and respond before threats can impact the organization. Companies of all sizes must develop incident response capability to detect, analyze, and mitigate attacks.

When a company is compromised, they sometimes may not discover the breach for months or years. During that time, the attacker is exfiltrating company and customer data.

The CIS Control document discusses the use of weekly log reviews to tune triggers of alerting tools. The document stresses that while tools are necessary for logging and alerts, they cannot replace skilled information security staff and systems administrators that can understand and investigate the alerts.

Let’s take a look at some of these safeguards and how companies I’ve worked with have successfully implemented them.

For safeguard 13.1 Centralize Security Event Alerting, the clients I work with often have a SIEM tool in place, such as Splunk, OSSEC, Wazuh, the ELK stack or similar tools in place. These tools collect logs from all types of systems. Security staff can configure alerts to be sent via email or text on different types of activity, such as change in account privileges, account password changes, unusual login activity, system and data access. The tools also provide reporting capabilities to identify new errors or potential threats so that organizations can take appropriate action. Some of the tools, such as OSSEC, are open-source and do not require license fees. Proprietary tools can be quite pricey. In all cases, there is a cost in terms of staffing to implement and monitor the tools. Staff must fine tune the queries and alerting to keep up with changing threats.

Safeguards 13.2 and 13.7 - Some of the tools above, such as OSSEC, include an agent to install on systems. Among other features, the agents of the different tools provide host-based intrusion detection and prevention capabilities. The agents can prevent malware from being installed by blocking changes to sensitive files. OSSEC is an open-source product that I’ve seen used at many organizations. Endpoint Detection and Response (EDR) tools, such as SentinelOne and CrowdStrike provide similar functionality and are also widely used among my clients.

Safeguards 13.3 and 13.8 address deploying network intrusion detection and prevention tools. Most on-premises firewalls have IDS/IPS tools that can be enabled, such as Snort or Suricata. These tools also exist for cloud environments to enhance security rather than solely relying on, for example, AWS security group rules to restrict network traffic.

Safeguard 13.10 Perform Application Level Filtering - A web application firewall (WAF) is often used to protect web applications from SQL injection, Cross Site Scripting, and other Layer 7 attacks. Companies I’ve worked with often use Cloudflare or AWS WAF for the cloud hosted applications. ModSecurity is a popular choice for companies that don’t want to pay for premium services such as Cloudflare or AWS WAF.

No matter the size of your organization or budget, you need to implement strong network monitoring and defense tools and procedures. Attackers look for easy targets. Don’t be one of them. Utilize the tools and procedures listed in the CIS Controls to better protect your company network and customer data.

In the next post I’ll discuss Center for Internet Security Control 14 - Security Awareness and Skills Training.

Notes from the Field - Center for Internet Security Control 12 - Network Infrastructure Management

2023-01-28T21:49:00.004-05:00

A company I audited last fall had an insecure design for its Amazon Web Services architecture, which hosted a financial web application. The web servers were public facing as were its PostgreSQL servers. Prime targets for attackers. In most information security audits I perform, companies usually protect their web servers with layers of protection that include DDoS and reverse proxy services from companies like Cloudflare. AWS load balancers are also commonly used and placed in front of the web servers.The web servers and database servers are assigned private IP addresses, not directly exposed to the internet and attackers.

The Sun and the Four Seasons

The client agreed that their architecture was not ideal. They had been in a hurry a few years before to get the web application into production and they were new to AWS at the time. They figured they would fix it later. They never did. There was always some new project or priority that caused them to delay the redesign. As they say, if you don't have time to do it right, when will you have time to do it over?

Unfortunately, this scenario is more common than you might expect. While most of the clients I work with have skilled and experienced network/cloud architects and systems administrators who have implemented secure infrastructures, too many still don't. They do what works and hope to secure it later. That will eventually catch up with them.

In this post I discuss Center for Internet Security Critical Control 12 - Network Infrastructure Management. The Center for Internet Security Controls are 18 critical information security controls all organizations should implement and all information technology and security employees should be familiar with to protect their networks, systems, and data.

The overview for Control 12 is - Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

Control 12 includes 8 safeguards:

12.1 Ensure Network Infrastructure is Up-to-Date
12.2 Establish and Maintain a Secure Network Architecture
12.3 Securely Manage Network Infrastructure
12.4 Establish and Maintain Architecture Diagram(s)
12.5 Centralize Network Authentication, Authorization, and Auditing (AAA)
12.6 Use of Secure Network Management and Communication Protocols
12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work

Why is this control critical? Secure network infrastructure is essential in defense against attacks. Organizations must have an appropriate architecture that they can effectively secure. Understand that securing company and customer data is the highest priority for information security and technology professionals. Data breaches can cost companies tens or hundreds of millions of dollars from lost business, fines, legal settlements, and reputational damage. The 2013 Target data breach cost the retail giant at least $200 million in legal and other fees. Equifax agreed to pay $575 million as a result of its 2017 data breach. Both companies paid out more to recover from the breaches.

Let's discuss a few of the safeguards listed above. Safeguard 12.1 overlaps with Control 07 - Vulnerability Management. It boils down to using supported network gear and services, installing the latest security patches and firmware updates. Clear enough. Still, in on-premises environments, clients often have firewalls with firmware that has not been updated in years, leaving them vulnerable to attack. As important as firewalls are, people forget to maintain them. If you rely on a firewall to protect your perimeter, properly manage the firewall.

For Safeguard 12.2 - Establish and Maintain a Secure Network Architecture, I refer back to the example of the client about which I opened this post. How should companies design their AWS environments for their web application? Here's a good document and diagram from AWS advising how to properly architecture an environment. It includes additional services to leverage that you can optionally use, such as a WAF, Content Delivery Network (CDN), and an Elastic Load Balancers (ELB) to better protect your web, applications, and database servers or RDS instances. It does a good job of visually demonstrating the levels of protection and the different subnets companies can use for the different types of systems and services.

Safeguard 12.4 - Establish and Maintain Architecture Diagram(s) seems to some industry professionals I've worked with to be a waste of time. They either don't have diagrams or they are outdated. A diagram is used to visually represent your network, systems, location of data and the flow of data in and out of your environment. The diagrams often list the ports that are open to which systems from the internet internally. You can look at it and generally understand what's going on. You can then compare the diagram to your actual network, inventory, and firewall and security rules to determine if they align.

Do you know what happens when companies don't have network diagrams? There are usually some forgotten firewall or security group rules allowing traffic in where it shouldn't be permitted. Or there's a server sitting in the DMZ that shouldn't be there. But the infrastructure director didn't know about it because they were told by staff that everything was set up right. Without a diagram, they have to get under the hood themselves to check things out. And they may never do that.

Safeguard 12.8 - Establish and Maintain Dedicated Computing Resources for All Administrative Work is one of the controls that distinguishes secure and insecure environments. If this safeguard is in place, many of the others are as well. In secure environments, companies require VPN access to their backend on-prem or cloud environment. Administrators then connect to a jump box, a server used for administrative tasks for the company infrastructure. The jump box is on a separate subnet from the production systems. From the jump box, the sys admins can SSH or RDP to the server they need to administer. In less secure environments, administrators can SSH or RDP directly from the internet to the servers they need to administer, no VPN or jump box. This is a dangerous practice as attackers can attempt to SSH and RDP to those same servers if they are not protected by VPN and jump box layers.

Periodic Firewall and Security Group Rules - Companies should conduct monthly or quarterly reviews of firewall and security group rules to verify they are appropriate. Network staff often test different services and tools before implementing them. That usually requires a change in firewall rules, such as opening a port for a new service or testing remote administration. Unfortunately, companies don't always don't disable or delete the rule after the testing is completed or when the technology is no longer used. The port that was opened for one technology is now open for a different server, leaving it vulnerable to attack.

For more details on the safeguards to protect your network to prevent a data breach, see the Center for Internet Security Controls document.

Next month I will discuss Center for Internet Security Control 13 - Network Monitoring and Defense.

Notes from the Field - Center for Internet Security Control 11 - Data Recovery

2022-12-30T09:39:00.055-05:00

The client I was working with had undergone a management shakeup over the previous year. The CIO left, replaced by someone who brought in several new managers. The result was a lot of IT and DevOps staff turnover. Many skilled staff who knew how everything worked at the company left amid the uncertainty. There were not enough senior people left to train all of the new hires. Without direction, new hires didn't always know what was important. A lot of things fell through the cracks, including data recovery.

The Compass from the Ridge and Valley Sculpture
at the Arboretum at Penn State

While reviewing the data backups, we determined that not all the data the company needed to backup was actually getting backed up. Nor was the backup data retention as long as required by company policy. They had a cloud environment and an on-premises server room with some legacy apps and data. Different backup tools were used for each.

In the AWS environment, the RDS databases were automatically backed up and retained for 1 to 35 days, depending on the method used to create the RDS database. The company's backup procedures had the RDS snapshots copied to S3 buckets, where they were required to be retained for three months. But the task to copy the backups to the S3 buckets stopped functioning months before. After investigating they determined the task of copying the backups to the buckets was tied to an AWS IAM role that had been modified in error, removing the role's ability to write the data to the bucket. Configuration management issues like this occur, especially in dynamic environments.

For the on-premises environment the company used Veeam to backup systems to on-site storage devices for short-term storage. The backups were copied to AWS S3 buckets for longer retention. Unfortunately, a set of the Veeam backup jobs were unsuccessful each day. Alerts had been emailed to the IT team but they were ignored. The dedicated backup administrator had left amid the company changes. A team with many other pressing responsibilities was assigned to oversee the backups. It wasn't a high priority for them.

These issues were easily correctable with a few hours work but could have been very costly if staff at the company inadvertently deleted data or had been targeted by a ransomware gang. In both cases, the company would not have been able to restore critical business data. We discussed the Center for Internet Security Controls, specifically Control 11 - Data Recovery. We also discussed the basics of data backup and recovery to better protect company and customer data.

The Overview for CIS Control 11 is - Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Control 11 includes 5 safeguards. They are:

11.1 Establish and Maintain a Data Recovery Process
11.2 Perform Automated Backups
11.3 Protect Recovery Data
11.4 Establish and Maintain an Isolated Instance of Recovery Data
11.5 Test Data Recovery

Why is this control critical? Organizations need and use data to make decisions and provide services to customers. If data is not available or loses its integrity, the organization and its customers could be negatively impacted. The CIS Controls Document refers to an example of an attacker encrypting a company's data for ransom. In such a case, the company would need to have backup data prior to the point when it was encrypted by the attacker. Unfortunately, many organizations find their backup data retention is not long enough to protect them from this attack.

Other challenges that companies face regarding data recovery is that they have so much data, they may not have an effective method to restore it in a timely fashion. It might take them weeks to restore the data, which could result in lost business.

In my own work, it's common for companies to have lax practices around their data backup and recovery testing. The CIS Controls document recommends that on a quarterly basis or when new data sources or technologies are introduced, companies evaluate their backups and attempt to restore data in a test environment. It's necessary to verify that data can successfully be restored in a reasonable time period in case of a serious incident and that the systems and applications can be restored.

The news is replete with stories of ransomware gangs compromising companies and holding their data hostage. You can better protect your company from becoming the next target by implementing the CIS Critical Controls. Review your data backup strategy regularly to determine it is current. Test your data recovery practices to verify you can restore data in case of accidental deletion or a ransomware attack.

Next month I'll discuss Center for Internet Security Control 12 - Network Infrastructure Management.

Notes from the Field - Center for Internet Security Control 10 - Malware Defenses

2022-11-28T21:39:00.008-05:00

The client I was working with had a web application hosted on a Windows server with the anti-virus software disabled. When I asked the head of Information Technology about it, he said the company's web application didn't work when anti-virus was running, so they couldn't enable it. They weren't concerned about it as they had a firewall in place with malware protection. I strongly advised them to reconsider that decision. Instead of disabling anti-virus, I recommended they determine why the web application did not work and correct it. They were the only client I had worked with that did not have anti-virus enabled on a Windows web application server. The risk of a Windows server being infected by a virus is high, especially one with a public facing IP address. Additionally, the server did not have recent security patches installed. It was only a matter of time before attackers compromised their web server.

It's commonly accepted that Windows systems must have anti-malware software installed to protect them while Linux and macOS don't need it. That view has been changing the last several years. Linux and macOS are targeted more and more by ransomware and cryptojacking malware. In this post I discuss what I see in my work as an information security auditor in my work clients regarding Center for Internet Security Control 10 - Malware Defenses.

Back of Old Botany Building along Pattee Mall at Penn State in Autumn

The Center for Internet Security Controls are 18 critical information security controls that all
organizations and information security professionals should be familiar with and implement to protect their networks and data. The free but valuable document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with. I recommend it to all of my clients for information security guidance.

The Overview for Control 10 is - Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Control 10 includes 7 sub-controls or safeguards. They are:

10.1 Deploy and Maintain Anti-Malware Software
10.2 Configure Automatic Anti-Malware Signature Updates
10.3 Disable Autorun and Autoplay for Removable Media
10.4 Configure Automatic Anti-Malware Scanning of Removable Media
10.5 Enable Anti-Exploitation Features
10.6 Centrally Manage Anti-Malware Software
10.7 Use Behavior-Based Anti-Malware Software

Why is this control critical? Malicious software is one of the biggest threats to your company and customer data. Malware can be used to capture user credentials to further exploit your network. Malware can be used by attackers to encrypt and delete your data, preventing you from accessing it unless you pay a ransom for it. Attackers leverage machine learning tools to make more sophisticated and effective malware. Malware enters company networks through vulnerabilities, phishing, and many other avenues. It's necessary to have comprehensive malware defenses to protect your systems and data.

Larger clients I work with generally have good practices in place for preventing malware. They have anti-malware or endpoint detection and response (EDR) tools installed on all of their servers, workstations, and laptops. They manage the tools centrally with a team that checks the status of systems. The team follows up on systems that are not reporting their status to the console, not receiving updates or have been infected by malware.

Some of the most widely used anti-malware/EDR tools by larger clients are from Trend Micro, SentinelOne, CrowdStrike, Symantec, and McAfee. Additionally, network firewalls include filtering of malware traffic prior to reaching endpoints.

Smaller to mid-size clients often don't have much in place to protect systems from malware. They lack the budget or staff resources to manage a centralized anti-malware tool. They rely on the default tools that are installed with the operating systems, such as Windows Defender for Microsoft Windows server and end user systems and XProtect for Apple macOS. Are Defender and XProtect enough? Maybe. But is maybe good enough to protect your company and customer data?

You want assurance that if new malware is spreading across the internet, your systems are fully protected. You also want to know if your systems are affected. Without a central management console for your anti-malware tool, it's difficult to know for sure what is going on in your company's network. Was one system affected or hundreds? It's important to know so you can take immediate action, such as isolate systems, block ports on your network or push out a new security patch.

For Linux servers, most small to mid-sized companies and even some larger companies I work with generally do not deploy anti-malware software. When they do, it's often ClamAV. That's sufficient to protect systems but it does not have centralized management features. Logging and alerting for ClamAV can be leveraged using a SIEM tool if one is in place to get a full picture of the status of systems. Sometimes companies deploy OSSEC, a host intrusion detection tool, to their Linux systems instead of or in addition to deploying ClamAV. OSSEC is not a dedicated anti-malware tool but does include root-kit and malware detection.

OSSEC and popular anti-virus/EDR tools have intrusion detection and file integrity monitoring features to identify changed files. This helps track activity and potential damage or deletion of files. Some of the tools can also stop processes completely based on behavior to better protect your systems and data.

Anti-malware defenses combined with the other CIS Controls can help protect your network, systems, and data. Read the CIS Controls document today.

Next month, I will discuss Center for Internet Security Control 11 - Data Recovery.

Notes from the Field - Center for Internet Security Control 09 - Email and Web Browser Protections

2022-10-02T15:41:00.010-04:00

A small SaaS (Software as a Service) client I worked with recently mentioned an information security incident they experienced a year ago in which the email account of one of their sales representatives was compromised via a phishing attack. The attackers gained the credentials of the sales rep, obtained email addresses of customers, and sent emails to the company's customers with false offers to buy discounted services. The attackers had scraped the company's website and set up an identical site with a similar URL, which tricked customers into believing the website was legitimate. Some customers visited the site and entered their credit card numbers to purchase what they thought were legitimate services. The compromise occurred on a Friday morning. It wasn't until Monday afternoon that the sales rep began to hear from customers that something was very wrong. Their credit cards were used for many bogus purchases on multiple websites after using their credit cards on what they thought was the company website.

Sun Mosaic at Bandon, Oregon

The IT department was able to block the attackers access to the email account of the sales rep. But that was just the beginning. Did the attackers gain access to other accounts and elevate their credentials? Did the attackers now have customer credentials? If so, how many and which ones? As the IT team began to isolate the incident, the senior executive team, including legal counsel and communications, was brought in to determine how to notify customers and what to tell them.

The company's reputation was damaged. It lost customers and revenue. Since the incident, the company requires multi-factor authentication for remote access and all email and cloud services. The company also implemented annual information security awareness training for all staff. I suggested additional technical controls the company can put in place to better protect the company and its customers from similar attacks in the future.

In this post I discuss the Center for Internet Security Control 09 - Email and Web Browser Protections. The Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. The document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with. I recommend it to all my clients for information security guidance.

The Overview for Control 09 - Email and Web Browser Protections is - Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

Why is this control critical? Attackers continue to successfully target email and web browsers as most people in organizations use the two tools for much of their day-to-day work. Email and web browsers expose employees to untrusted environments, where attackers can use social engineering and malicious code to trick individuals into giving up their company logon credentials and data. Once attackers gain a foothold with user credentials, they can expand to other targets.

Control 09 includes 7 sub-controls or safeguards. They are:

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

9.2 Use DNS Filtering Services
9.3 Maintain and Enforce Network-Based URL Filters
9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
9.5 Implement Domain-based Message Authentication, Reporting, and Conformance (DMARC)
9.6 Block Unnecessary File Types
9.7 Deploy and Maintain Email Server Anti-Malware Protections

The above sub-controls will go a long way to protect your network and users from email and browser related attacks. I'm going to address a few of the controls that would have protected against the phishing attack on the SaaS company.

Using DNS filtering services, control 9.2, protects your network by blocking DNS queries for malicious websites. For example, if an employee opens a phishing email and clicks on a link for a known malicious site, the DNS filtering does not allow the employee's browser to go to the site as the site's domain is listed on a block list.

Control 9.3 is similar in that URL filtering is done of websites that contain content that is not approved by a company. Filtering databases are used to classify URLs by content. URLs with appropriate content are approved for access. URLs for inappropriate content are blocked. Those URLs marked as phishing are blocked by an employer. The employee's browser will be redirected to a page notifying the individual that the URL is blocked.

Implementing DMARC, control 9.5, would have also helped the SaaS company from being compromised. DMARC and related tools can be used and combined for verifying the authenticity of emails. The tools include Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

SPF identifies emails that are from trusted sources and those that are from untrusted sources. SPF allows your email administrator to apply rules to untrusted emails, such as block them or mark them as spam. This reduces the likelihood of successful phishing attempts via a company's email system.

DKIM helps identify spammers and attackers from spoofing legitimate domains. It's easy for anyone to change the from field of their emails to make them appear as if they are coming from a different domain. Attackers use this to send phishing attack emails. The email recipient believes the email is from an individual at a company they do business with when, in fact, the email is a phishing attempt. DKIM verifies the identity of the email server sending the email by using digital signatures or the email servers.

CIS Control 9 and its sub-controls will help protect your company from email and web browser attacks. Implement them to reduce the likelihood of incidents at your organization.

Next month I will discuss Center for Internet Security Control 10 - Malware Defenses.

Notes from the Field - Center for Internet Security Control 08 - Audit Log Management

2022-08-28T14:25:00.007-04:00

During a recent SOC 2 Gap Assessment with a medical billing company, the IT Manager and I discussed the logging and alerting tools the organization had in place. He explained that the company uses the default logging settings and capabilities of the operating systems, applications, and network gear. They didn't configure any alerts. The IT team reviewed logs when there was a problem but did not conduct regular reviews. I asked the IT Manager how he would know if the company network was attacked or if it was already compromised and sensitive patient data was being exfiltrated?

Circles in the Sand at Bandon, Oregon

The IT Manager paused and shifted in his chair, his face looking perplexed. After a few moments he said it was a good question. The anti-virus logs might turn something up, right?

No, the anti-virus logs won't be helpful when an attacker has accounts and access on your systems. The attacker will go undetected. The anti-virus tools also won't tell you that patient data, including Social Security numbers and copies of driver licenses are stolen by an attacker. An endpoint detection and response tool would show more file access detail and could potentially stop such activity but this company uses traditional anti-virus.

As concerning as this type of situation is, it's a more common scenario than you might expect. Many companies have excellent logging and alerting tools in place. They log everything that is going on in their networks and have staff that can respond to alerts in real time. Other companies have nothing in place. They don't know about attacks or even technical issues until they occur and are notified by the attackers, customers or end users. There are a lot of reasons for this - lack of funds to invest in such products, limited staff resources, and often a lack of knowledge. That's when I discussed with the manager the Center for Internet Security Controls.

With good and succinct information the IT Manager can understand what tools will help protect the company's networks. From there, the manager can make the case to senior management to obtain the resources the company needs to properly protect itself, its customers, and patient data.

In this post I discuss the Center for Internet Security Control 08 - Audit Log Management. The Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. What's powerful about the document is that it contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with.

The Overview for Control 08 - Audit Log Management is - Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Control 08 includes 12 sub-controls or safeguards. They are:

8.1 Establish and Maintain an Audit Log Management Process
8.2 Collect Audit Logs
8.3 Ensure Adequate Audit Log Storage
8.4 Standardize Time Synchronization
8.5 Collect Detailed Audit Logs
8.6 Collect DNS Query Audit Logs
8.7 Collect URL Request Audit Logs
8.8 Collect Command-Line Audit Logs
8.9 Centralize Audit Logs
8.10 Retain Audit Logs
8.11 Conduct Audit Log Reviews
8.12 Collect Service Provider Logs

Why is this control critical? Audit logs may be the only method for companies to identify an attack and compromise of their network and systems. Without proper logging and auditing in place, attackers may stay active in and exploit a company network for months or years before they are identified, as was the case with the compromises of SolarWinds and the U.S. Government in 2020. With effective logging tools and log review processes in place, the victim can identify the compromise and take action to block and end the attack. The logs will help determine in a forensic investigation how the attack was carried out, which systems were compromised, and what data the attacker exfiltrated from the organization.

As mentioned above, the clients I work with have varied logging capabilities. Some do not do anything specific in regards to logging. I've worked with clients whose Windows Event Viewer Security logs on their domain controllers were overwritten after a few hours as a result of using the default retention settings. Those same companies often do not retain firewall logs besides what is stored in the buffer, which is a few hours at most.

If these companies had a security incident, they could not rely on those logs to help them identify the source or target of an attack. Normally attackers will attempt to delete system and firewall logs to make an investigation difficult for a company. In cases like these, the attacker's work is already done for them by the victim's lack of effort.

Conversely, some companies have sophisticated logging and alerting tools that are improperly configured. When I ask them to show me examples of alerts they track, they bring up a dashboard of 1.2 million "critical" entries from the past 24 hours. I ask how they filter out the actual alerts from all the noise. They shrug their shoulders. We discuss how they can narrow in on what alerts are meaningful to them and would indicate an attack or system failure.

Successful companies in this area that I've worked with have centralized log management tools in place to collect and analyze logs for systems, applications, and network gear. Such tools include Splunk, CloudWatch, the Elk Stack (Elasticsearch and Kibana), Nagios, OpenSearch, FluentD among others. The tools allow IT security teams to create alerts based on logon activity, privileged access, suspicious logins and activity. The tools are flexible to allow teams to focus on what they need for their environments.

Some companies utilize tools like PagerDuty, which can be configured to require a response to an alert. It texts and emails the on-call person to investigate. It will escalate the alert to others as needed until someone acknowledges the alerts. Critical and specific alerts can automatically be sent to their service desk tool and create a ticket for security operations center staff to triage.

Whether you work at a large organization with a team reviewing alerts or a one-person shop, you need a minimum level of logging and alerting tools and processes in place to protect your environment. The Center for Internet Security Control 08 - Audit Log Management can help guide you.

Next month, I'll discuss Center for Internet Security Control 09 - Email and Web Browser Protections.

Notes from the Field - Center for Internet Security Control 07 - Continuous Vulnerability Management

2022-05-29T15:41:00.001-04:00

This is the seventh in a series of posts I'm writing on the Center for Internet Security (CIS) Controls Version 8. The CIS Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. In this post I discuss what I see in my work as an information security auditor with clients regarding Control 07 - Continuous Vulnerability Management.

Acadia National Park with view of Sand Beach

The clients I work with vary a great deal in terms of their information security maturity levels. Some have advanced programs with good policies and strong controls in place. Others are just getting started on their information security journey. They don't know what they need to do or where to go to find out. Vendors attempt to sell them expensive solutions that they don't understand and do not have enough staff to successfully implement. I recommend my clients start by reading the CIS Controls document. It's a concise document that executives can understand and information security professionals can run with.

The overview for Control 07 - Continuous Vulnerability Management is - Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

Control 07 includes seven sub-controls or safeguards, as the CIS Document refers to them. They are:

7.1 Establish and Maintain a Vulnerability Management Process
7.2 Establish and Maintain a Remediation Process
7.3 Perform Automated Operating System Patch Management
7.4 Perform Automated Application Patch Management
7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
7.7 Remediate Detected Vulnerabilities Applications

Why is this control critical? Attackers are continuously scanning corporate networks from the outside, looking for vulnerabilities to exploit. Some of their many goals include compromising those networks to exfiltrate data or install ransomware, both of which can be profitable for them. They generally look for easy targets, companies with insecure practices. Don't let your company be an easy target.

Information Security teams must continually scan their networks for vulnerabilities to remediate them before attackers find them. Attackers have the same access to vulnerability information that infosec pros do. They also have sophisticated tools to quickly exploit those vulnerabilities. We can't wait to remediate vulnerabilities until there's a convenient time. There never is one in the information technology and security fields. We are always juggling many competing priorities. And hackers don't work from 9 to 5. We must prioritize vulnerability management as the consequences of neglecting it are catastrophic. Companies that are victims of attackers have paid millions of dollars to ransomware gangs. The companies later paid tens or hundreds of millions of dollars to clean up their networks after attacks and pay claims in lawsuits from customers and shareholders.

The clients I work with usually have some type of vulnerability scanning tool in place, such as Nessus, Qualys, Rapid7, OpenVAS - scanning their internal and external networks. Sometimes they scan both the hosts and applications, but usually just the hosts. Unfortunately, the vulnerability scans are often misconfigured, resulting in vulnerabilities that can go unmediated for months or years.

During a recent gap assessment, the client I worked with had implemented Nessus Professional, which is a paid product. The employee who had set it up months before left the company shortly thereafter. Nevertheless, the information technology team continued to receive the weekly vulnerability scan reports showing that there were no vulnerabilities. In a conference room, the IT manager shared his screen to the large wall monitor and displayed the four most recent reports. None of them listed any vulnerabilities. The manager went back further, still no vulnerabilities. He was proud to show how secure their network was. Maybe...but every time I see vulnerability scans that consistently find no vulnerabilities, I know the scans are not running properly.

I pointed out that between the time a vulnerability is identified and patched, the scans would have found something over the past several months. We looked a little closer when it became very clear what was going on. The report simply showed open ports on systems. The scan the departed employee had set up was a port scan. These types of scan results don't provide much useful information in identifying vulnerabilities other than listed unsupported operating systems. We discussed the importance of credentialed vulnerability scans. They reconfigured the scans accordingly. When we reviewed the scan results a few hours later, there were pages of vulnerabilities, many several years old. The organization was not as secure as the manager thought but was on its way in the right direction.

Many clients that I've worked with have set up scans but are not scanning all of their systems. Or they are scanning systems without entering credentials into the scan configuration, which is necessary to conduct authenticated scans - deep scans in which the scanning tool can identify missing security and application patches as well as registry and configuration vulnerabilities. In one recent case, a client was conducting proper authenticated scans against its production network but not its User Acceptance Testing (UAT) environment. This is common but what was different in this case is that their UAT systems were public facing in which customers tested web applications prior to the company moving the applications into Staging and later into Production. An attacker could potentially compromise the UAT environment and move into the Production environment as they were on the same subnet.

Finally, there are customers that are not scanning their systems at all. They don't think they need to. They don't have any public facing systems. Or they do but they believe the data hosted on the servers is data that no one would target. That's not a good approach to protecting your network. Even if a company only had public data on its websites, a compromise of a web server would cause reputational damage at a minimum. From the web servers, the attackers could make their way to the internal networks where there is more desirable data to be exfiltrated or encrypted for ransom. People often look through a very narrow lens at situations. It's important to look at the big picture in both life and information security.

All organizations must have a proper vulnerability management program in place. It means implementing automated vulnerability scanning and patch remediation processes. It also means regularly verifying that the automated are configuring and running properly. This is critical to protecting your company and customer data from attackers.

Next month I discuss Center for Internet Security Control 08 - Audit Log Management.

Notes from the Field - CIS Control 06 - Access Control Management

2022-04-30T08:28:00.014-04:00

This is the sixth in a series of posts I'm writing regarding what I see in my work as an information security auditor with clients, specifically how they implement the Center for Internet Security (CIS) Controls. The CIS Controls are 18 critical information security controls that all organizations and information security professionals should understand and implement to protect their networks, systems, and data from attackers. In this post I discuss Control 06 - Access Control Management.

The CIS overview for this control is - Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Control 6 includes 8 sub-controls or safegaurds, as the CIS document refers to them. I listed them below and will discuss some of them.

6.1 Establish an Access Granting Process
6.2 Establish an Access Revoking Process
6.3 Require MFA for Externally-Exposed Applications
6.4 Require MFA for Remote Network Access
6.5 Require MFA for Administrative Access
6.6 Establish and Maintain Inventory of Authentication and Authorization Systems
6.7 Centralize Access Control
6.8 Define and Maintain Role-Based Access Control

Why is this a critical control? Granting higher levels of access than necessary to individuals and systems puts the organization at greater risk of a compromise and data breach. Organizations should have standardized and centralized processes for granting, managing, and revoking access based on role. It's also critical that companies operate on the principle of least privilege when granting access to data and resources. This means individual accounts, service accounts, processes, systems, etc. are only granted access to resources they need to perform their job responsibilities or functions, no more and no less. Companies I work with are generally pretty good in this area.

What I often see companies do is grant new hires a default set of applications during the onboarding process. They also grant read access to a shared folder where company policies are located. For example, a person in the finance department would be granted access to different sets of applications and data than a person in the marketing or sales departments. This would be done via access control groups in Active Directory or other Identity Access Management tool. It would be driven by Helpdesk tickets submitted by the human resources team or the hiring manager. IT staff grant the access based on the request.

Spring at the Arboretum at Penn State

I recently completed a gap assessment with a company that is just getting started with their information security program. They thought they were running a pretty tight ship. We discovered otherwise shortly into the engagement. During a review of their Active Directory accounts and security groups, I saw that the IT staff used accounts with Domain Admin privileges as their day-to-day accounts for logging on to their own computer to perform common tasks such as email and browsing the web. I had not seen something like that in a long time as most companies moved away from that a decade or more ago. I pointed out that if an IT staff member fell for a phishing attack, the attacker would not only have access to just any account, it would be an account with Domain Admin privileges. With that account, an attacker would have full access to their domain to do whatever they chose. IT staff need to use a separate account with minimal access for their day-to-day computing activities. They should only use a privileged account when needed.

Companies generally have good processes in place for revoking access when a person leaves an organization. But it's also very common for processes to break down in this area. They often use single sign-on (SSO) for third-party web applications. SSO is integrated with Active Directory or other Identity Provider service. When IT staff or HR disable the former employee's account, all of their access is removed.

But not all companies have implemented an SSO solution. An average employee may have access to 10 or 20 or more different types of accounts, systems, and web platforms. The people who are notified to create an account for a person are not always notified to disable access when a person is terminated. It's important that all accounts be inventoried so HR and IT staff and others responsible know which accounts to disable when a person separates from a company. HR and IT staff members can use checklists via Helpdesk tickets to track that all accounts are disabled.

As per Control 6, I always recommend organizations require multi-factor authentication (MFA) for privileged account usage. Anytime someone with Domain Admin or other high privileges logs on to a system or attempts to perform administrative functions, the person should be prompted for a second factor of authentication. That way if a privileged account is compromised, the attacker still needs the second factor of authentication to use it. That is a bigger challenge for an attacker. Attackers are much more likely to target organizations where MFA is not in place.

When I reviewed a recent client's VPN setup, AWS, and cloud environments, MFA was not required for regular user or privileged accounts. I asked them to imagine the damage an attacker could do to their company and its reputation if the attacker obtained control of its internal or AWS environment. The attacker could exfiltrate data and worse - make public sensitive customer data or sell it on the dark web. The attacker could delete all of the EC2 instances, resources, and applications in AWS. What damage could attackers do if they phished the CEO's Outlook 365 account? The IT staff began to see the risk to their company.

Related to control 6.8, I always recommend to clients that they perform monthly or quarterly reviews of their accounts and access levels. This is important because no one or process is perfect. Life happens. Sometimes important tasks are missed. Automation fails. A person may leave a company right before a holiday weekend, when some key staff who manage accounts are out of the office, getting an early start on the holiday. Some web platform accounts of a terminated individual may continue to be enabled after the person departs a company. They could freely access those accounts over the internet at any time. Unfortunately, no one discovers this data is exfiltrated or deleted, by the former employee or an attacker taking advantage of a dormant account. Perhaps an employee moves from one department to another. Yet the individual still has access to sensitive data and resources in their previous department, for which they no longer have a need. The monthly or quarterly reviews catch these errors.

Next month, I'll discuss Center for Internet Security Control 07 - Continuous Vulnerability Management.

Notes from the Field - CIS Control 5 - Account Management

2022-03-27T15:47:00.006-04:00

This is the fifth in a series of posts on the Center for Internet Security (CIS) Controls Version 8, which was released in May of 2021. The CIS Controls are 18 critical information security controls that all organizations and information security professionals should understand and implement to protect their networks from attackers. In this post I discuss what I see in my work with clients in regards to Control 05 - Account Management.

The CIS overview for this control is - Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

Penn State's Old Main Building in March

The CIS Controls document states this control is critical as attackers can gain access to your organization's network and systems by using valid user credentials on those systems. Attackers seek to obtain credentials of accounts with weak passwords or for accounts of former employees that have not been disabled. The attackers may obtain passwords from shared accounts or service accounts with passwords that have not been changed in years. These credentials can be obtained in a number of ways, such as social engineering, found in scripts or documentation stored in cloud storage that was inadvertently made publicly available. Administrator and other privileged accounts are particularly valuable to attackers.

The CIS Controls document states that credentials should be treated like company assets, which you should inventory and track. It's necessary to do periodic account reviews:

Disable accounts that are inactive for more than 45 days
Review new accounts to verify they were properly authorized
Verify group memberships and privileges are still appropriate, particularly for administrators and those who have changed positions

An employee with administrative privileges should use a separate account to perform those privileges. They should not use a privileged account for ordinary tasks such as using email and web browsers. That reduces the chances of a privileged account being compromised by a phishing or other attack.

The CIS Controls document also recommends the use of a Single Sign-On solution to reduce the number of accounts and passwords individuals must maintain as people are more likely to write their passwords down or maintain a file of them if they have too many to remember. The use of multi-factor authentication (MFA) is also recommended in support of account management. MFA makes it more difficult for attackers to compromise accounts as they must compromise at least two methods of authentication instead of just one.

In my work with clients Account Management is an area where companies generally take care of the basics, such as disabling accounts of former employees. But that's about it. Most IT staff and cloud administrators are so busy with their day-to-day duties that they often think that is enough they can squeeze in with all of their other pressing matters. Or they simply are not sure what else they should do for secure account management.

I recently conducted a SOC 2 Gap Assessment with a company of about 250 employees with a physical headquarters where the majority of staff worked until the pandemic began. About half of the staff continue working remotely. They have a small cloud environment in Amazon Web Services (AWS) that hosts a web application. They also have some physical and virtual servers at their headquarters server room that run Active Directory, VMware, and many application and file servers.

I had them walk me through their AWS environment, beginning with the Identity Access Management (IAM) console. They had proper controls in place. There were just a few accounts. All had long and complex passwords. MFA was enabled for all. Only the accounts necessary for administrative tasks had those privileges and assigned policies. Other accounts had fewer privileges for specific tasks. We looked at the login history in CloudTrail. They also had alerts set up for IAM logins. They set it up properly. I have worked with clients that had weak passwords and MFA was not required for their AWS environments. That leaves just one level of authentication protecting a company's cloud systems from compromise or intentional deletion by an attacker.

Things got more interesting when we reviewed the accounts for their public-facing web application, which is hosted on their AWS Linux instances. The company staff developed the application themselves. The lead developer showed me the administrative interface and the database, which stored the application accounts and passwords. He showed me the list of administrators of the system. It was limited to a group of developers and IT staff. Customer support staff also had the ability to reset passwords of customers, which was part of their role in helping customers.

After a review of the accounts against the active employee list, I identified five active accounts of people who were no longer with the company. They could potentially still be logging on and performing administrative tasks, resetting passwords of customer accounts or stealing customer data. Is that something they considered before? After discussion about this and bringing in the development manager it was determined that the person responsible for disabling accounts left the company the previous year and no one was assigned that responsibility since.

We ran into more problems with the web application. Multi-factor authentication was not required for the administrators, customer support staff or customers. Nor did the web application require passwords to be changed. That's common for customers but not for employees. I asked to see password requirements. They were not listed in the administrative console. The developer said they were written into the code from an Open Source library but was not familiar with that code module and couldn't verify complex passwords were used.

Fortunately for me, anyone could create their own account on this public-facing web application. I decided to do that with them present so we could walk through the process together. I created an account and set my password. I was able to set a simple password of Password123. The developer, manager, and IT Director were unhappily surprised by this. I was actually surprised myself as this is such a basic control to put in place that I rarely see it. Hackers could easily target accounts and try common passwords to gain access. From there, an attacker could attempt to escalate privileges. Why hadn't they required complex passwords?

It turned out the code for the application had the functionality to require complex passwords and MFA but they never enabled it. It was planned but got lost in the shuffle of additional requirements and features. And they were short staffed. Ever since the pandemic began and remote work became more common, company developers were being poached by recruiters faster than they could hire and train them.

I recommended that MFA be required for all company employees for all remote access, web applications, and cloud services. The application stored sensitive data which led me to recommend that MFA be at least made optional to customers if not required. Granted, MFA is more challenging for customers who may not have a second means of authentication or may simply not want to use one.

We moved on to their Windows Active Directory Users and Computers console for their headquarters domain. I had them bring up the Domain Admins' security group. The IT staff consisted of four people but this group contained 21 accounts, many of which were disabled. Based on the account names, others were clearly service accounts for the backup software, anti-malware system, among others. I asked the IT Director and Systems Administrator why the accounts were still in the Domain Admins groups. They didn't have a good reason. They figured the accounts were disabled and that was enough. I recommended they remove the accounts from the group and delete them. Accounts aren't books or old photos that we keep around for years. They have to go when they are no longer needed.

We continued on with the other accounts. There were several test accounts still enabled that hadn't been used in years. They had to be disabled. If they weren't going to be used in the next three months, they should be deleted. I advised them to review all of the service accounts. Do they really need Domain Admin privileges? Most likely not. They may need administrator privileges on specific servers where they are used. But don't give service accounts more privileges than they need. Attackers will target those. Those accounts, as well as dormant test accounts with privileges, provide perfect cover for hackers. We went through the Enterprise Admins, Schema Admins groups as well as some custom administrative groups they use. Again, there were many accounts in them that did not need to be in them.

We then looked at regular domain accounts. As mentioned above, the company has 250 employees. You can imagine my surprise when Active Directory had an Organizational Unit of 1400 disabled accounts of former employees going back 20 years. Again, I asked the IT Director and Systems Administrator why they kept all of these accounts of terminated employees? They mentioned a practice that was popular for several years when Active Directory was released and still new. The idea was that the IT staff would disable accounts of terminated staff but keep the account in case the person someday returns to the company. That way, IT staff wouldn't have to go through all of the trouble to create a new account and add the account to groups. The person's account would still have all of the group memberships from when they previously worked for the company. The account GUID would be the same so that they could access files that had been granted permissions specifically to their account. A new account wouldn't have the same GUID or access to the old files. This practice, I remember, was even documented in the Microsoft certification books as a convenient method of saving time and being efficient. Opinions about this have very much changed since then. Now we stress security over convenience as convenience often to companies being compromised.

I advised the IT Director and Systems Administrator to delete accounts of former employees after they had been inactive for 45 days. It does not make sense to have five times more inactive accounts than active accounts. That's too many opportunities for attackers to use existing accounts and sneak under the radar. Even if a former employee returned to the company, the individual may have a different role from their previous one and need different group memberships to access different resources. They mentioned the person may need access to old files that were assigned to their old GUID. That's another practice they should stop. They should assign data access to groups for better administration.

They were uncomfortable with deleting accounts of former employees as they had both been with the company for 15 years or more as that's just the way they did things. It was a big change for them. I asked them how they would know if someone, perhaps an IT person who was leaving the company, reset the password of one of the terminated accounts and enabled it. What if a disgruntled IT staff member reset the password of one of the unused test accounts that had Domain Admin privileges so that they could use it after they left the company? Did they have any monitoring of accounts in place to identify such changes? No, they didn't. They could potentially review the security logs but they were not in the practice of doing so.

We then discussed ongoing reviews of accounts and privileges. They didn't have any processes in place. I recommended they:

Conduct quarterly reviews of accounts and access privileges for all users and systems, including directory services, custom web applications, and other access systems and tools the company uses
Delete or disable inactive accounts after 45 days
Verify account privileges are accurate for active user accounts, noting that changes in job roles of employees may require changes in system privileges
Document the quarterly reviews in help desk tool or other tool, noting all account and privilege changes
Research and implement a tool, such as a SIEM or Netwrix, to monitor account changes with email alerts for accounts with Domain Admin and other privileged accounts.

Why the discrepancies with how the AWS environment was managed and how Active Directory and the web application accounts were managed? The person who set up and managed the AWS environment was newer to the company and had previously worked at a company where they followed specific policies and practices. The AWS administrator continued the practices with this company. The managers and staff responsible for Active Directory had administered Active Directory based on what they thought were good practices. They didn't follow a policy or have documented practices. They did what they always did. The application developers also didn't have specific guidance on what they should do. I advised them to develop a policy that aligned with CIS Control 5 and implement the controls.

Next month I'll discuss the Center for Internet Security Control 06 - Access Control Management.

Notes from the Field - CIS Control 04 - Secure Configuration of Enterprise Assets and Software

2022-02-27T13:25:00.010-05:00

This is the fourth in a series of posts I'm writing on the Center for Internet Security (CIS) Controls Version 8. The CIS Controls are 18 information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data from attackers. In this post I discuss what I see in my work as an information security auditor with clients regarding Control 04 - Secure Configuration of Enterprise Assets and Software.

The CIS overview for Secure Configuration of Enterprise Assets and Software is - Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

Why is this a critical control? The CIS Controls document states this control is critical as systems and software are designed for ease of use and deployment, not for security. Default system and software configurations are generally insecure. Attackers can exploit systems and software that have default user accounts and passwords, default protocols, other insecure settings. The security settings and configurations need to be maintained over the life of the system or software. Changes to configurations need to be tracked for compliance purposes. The document includes consideration of services providers as they may implement looser controls to support their many customers.

The CIS Controls document lists security configuration checklists that systems administrators and security professionals can use to secure their systems, such as the NIST National Checklist Program and the CIS Benchmarks Program. It then lists 11 steps for developing secure baselines. The document lists a number of safeguards or sub-controls in support of this control. They include:

Establish and Maintain a Secure Configuration Process
Configure Automatic Session Locking on Enterprise Assets
Implement and Manage a Firewall on Servers
Manage Default Accounts on Enterprise Assets and Software
Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
Configure Trusted DNS Servers on Enterprise Assets
Enforce Automatic Device Lockout on Portable End-User Devices

Penn State Law Building, Framed by the Arch at the Arboretum

In my work as an information security auditor, I see some clients doing very good work in this area. They have detailed security configurations for their operating systems, software, and network devices. Others are not as diligent. On a recent gap analysis engagement with a client that provides a web application explained how they secure their servers. They install the latest security patches, install anti-virus software, and change the administrator password. They also enable the firewall on their servers. I asked if they do anything beyond that. Unfortunately, they do not.

Let's face it, that does not qualify as actually securing a system. I asked the company's information security manager if he would feel confident using a vendor which had such minimal controls in place. He grimaced for a few seconds and finally said no. He expects much more. Just as his company's customers expect more from him and the information security team to secure their data.

I discussed how other companies have much more rigorous controls. They may have a checklist of 20 or 30 security settings they change. Still others implement hundreds of individual security settings from Security Technical Implementation Guides (STIGs) or the CIS Benchmarks for operating systems, software, and network devices. Normally implementing this number of controls is done via scripts or Group Policy. There are also tools that can verify systems always maintain the desired configuration. For Linux systems, clients often use Chef or Puppet. In AWS they may use Terraform to deploy and maintain secure configurations. In support of securing their systems, organizations run vulnerability scans to further identify weaknesses and take appropriate action.

With a background in a Department of Defense environment, I have spent a lot of time implementing controls from STIGs and the CIS Benchmarks for Windows, Linux, and VMware. I highly recommend the CIS Benchmarks to clients to review and implement. The CIS produces the benchmarks for many operating systems, network devices, software, and the cloud environments.

The PDF document that lists the controls for Windows 2019 Server, for example, is over 900 pages long. It gets into every detail of securing a Windows Server. The benchmark for Amazon Linux 2 is almost 400 pages long. The benchmarks can help guide the way to securing systems for information technology professionals that don't know where to begin regarding properly secure their organization's systems. Securely configuring enterprise assets and software also demonstrates a level of due diligence in support of protecting your company's and customers data and systems.

Next month, I'll discuss the Center for Internet Security Control 5 - Account Management.

Notes from the Field - CIS Control 03 - Data Protection

2022-01-22T11:26:00.010-05:00

This is the third in a series of posts I'm writing on the Center for Internet Security (CIS) Controls Version 8. The CIS Controls are 18 information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks from attackers. In this post I discuss what I see in my work as an information security auditor with clients regarding to Control 03 - Data Protection.

The CIS overview for Data Protection is - Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Sunset at Montana State University Billings

Why is this control critical? A breach of company or customer data would cause reputational harm to the organization and potentially result in lost business and costly lawsuits. There are also governmental and industry requirements for protecting data. Failure to meet the requirements could result in fines from various governments or an industry group. Protecting data is more challenging than ever as data is stored in many locations - on-premises and a seemingly endless number of cloud services. Data may be shared with various service providers in support of a company's services. Fortunately, many tools in support of protecting data are now available, easier to implement and less expensive than in previous years.

The CIS Controls document states that attackers will find and exfiltrate data after they penetrate a company's systems. Your goal is to prevent that from happening. The document lists 14 sub-controls or safeguards in support of data protection. They are:

3.1 Establish and Maintain a Data Management Process

3.2 Establish and Maintain a Data Inventory

3.3 Configure Data Access Control Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

3.6 Encrypt Data on End-User Devices

3.7 Establish and Maintain a Data Classification Scheme

3.8 Document Data Flows

3.9 Encrypt Data on Removable Media

3.10 Encrypt Sensitive Data in Transit

3.11 Encrypt Sensitive Data at Rest

3.12 Segment Data Processing and Storage Based on Sensitivity

3.13 Deploy a Data Loss Prevention Solution

3.14 Log Sensitive Data Access

When I work with clients, the senior executives, including the Information Technology Director or the Chief Information Security (CISO), sometimes don't have a full understanding of their own networks, systems, and data. They may be new in the position or dealing with high level priorities, like long-term strategy and budgets. They are not always in the technical and security weeds with a true feel for what goes on in their environments. They trust their subordinates are staying on top of things. As the systems and cloud administrators discuss where data is stored and how it is protected, the IT Director or CISO might say they had no idea the company collected credit card numbers or Social Security numbers...let alone stored them unencrypted. They thought those data fields were deleted after processing or encrypted or tokenized in cases where that type of data was collected. They become concerned the company has poor controls and processes in place to protect the data.

Data classification is listed as a control so that companies can determine the sensitivity of data and protect it accordingly. Larger companies generally do a better job of this, from what I've encountered. Smaller companies find it easier to protect all of their non-public data the same way as they don't have the staffing resources or tools to do much else.

One of the most basic things a company must do is properly restrict access to data via access controls as well as log access to data. Companies usually implement this well but occasionally I'll find that customers have share drives that contain sensitive information are open to all staff or more staff than have a need for access. In one case, a company's Human Resources share was not restricted. All of the employees' job offer letters with salary information was available. On-boarding documents, such as I-9 forms with Social Security numbers and copies of drivers' licenses were accessible to anyone in the company who happened to know how to access the share. In another case, the company's code repositories were configured to allow any of the thousands of employees in the company to access, change, and delete the code. In cloud environments, I find that customers sometimes misconfigure their AWS buckets so they are available to the public or are not encrypted. Again, the IT Directors and CISOs are taken aback when they see that organization data is not properly protected. They don't know about the data so they can't protect it.

In a recent gap analysis, the client I worked with provided services to hospitals and medical practices. They collected Social Security numbers via a web application. The SSNs were encrypted in the database but the SSN field for each patient was available to all customer support staff every time they looked at a patient record. This is not the usual practice. Most companies mask the first five digits with only the last four digits viewable. Or they may mask the entire SSN. They make the full SSN available only when the staff member clicks on a button to do so...and only if they been granted the need to know. Additionally, they may also need to authenticate again to reveal the full number.

A tool that can help you understand your data environment and security needs better is a data flow diagram, as the CIS Controls document recommends. A data flow diagram is a visual representation of how data flow into and out of an organization's infrastructure, where it's stored on company systems, cloud providers, as well as shared with and received back from service providers.

It's also very important to establish a data lifecycle - Create, Store, Use, Share, Archive, Destroy. It costs money to store and protect data you don't need. It also opens your company up to legal liability. In the event of a data breach and public release of sensitive information, you will have a difficult time explaining why you stored data of a customer who stopped using your service 10 years ago. The company may be in violation of regulations and be liable to fines or lawsuits. I see this a lot with customers. They save data forever as they did not plan for data deletion when they designed their applications and databases. They were focused on getting a functional web application to customers as quickly as possible. They don't know how to redesign their collection and storage of the data.

Fortunately, there are tools available when data management is planned from the onset. Administrators can run tasks on databases to archive or delete data once it ages past the retention policy. AWS bucket policies can be configured to send inactive and old data to Glacier. It can then be automatically deleted after a specified number of months or years. Microsoft Outlook 365 has data retention policies that can be implemented. Generally, companies don't take advantage of these tools because they are short-staffed. The employees have little if any time to implement such features as they struggle with their main priority to maintain their services for customers. Companies with dedicated IT security or compliance departments are generally more successful in this area.

Some controls that clients often have in place that I'll highlight are:

Encryption of data at rest - Most companies I work with are generally diligent about encrypting their data or use tools and services that make encryption the default option. They encrypt drive volumes and databases in AWS and Azure. They encrypt Windows drives with BitLocker, macOS drives with FileVault, and Linux drives with LUKS.
Encryption of data in transit - Companies use the currently supported version of TLS to encrypt data in transit between web applications and end users. They use STFP/SSH for file transfers. VPNs are established between on-premises locations and cloud services. Laptops users are required to use a VPN client to protect their traffic from interception when using public WiFi networks.
Data Loss Prevention - Many tools now exist to prevent data exfiltration that were expensive and difficult to implement in the past. Some companies I've worked with have policies and tools in place that monitor and limit the number of files a person may email outside the organization or upload to a cloud service. Some companies even prevent any and all copying and pasting of data from email or Office 365 products to a non-company managed products and systems. DLP tools can prevent copying of files to USB drives. Firewalls can report on the amount of data a particular user is uploading to online storage services.
Most companies have an incident response plan and steps in place to respond to a data breach. Some IT security teams conduct quarterly testing of their response plan so they are prepared when a data breach occurs.

Next month, I'll discuss the Center for Internet Security Control 04 - Secure Configuration of Enterprise Assets and Software.

Notes from the Field - CIS Control 02 - Inventory and Control of Software Assets

2021-12-20T19:56:00.018-05:00

This is the second in a series of posts I'm writing on the Center for Internet Security (CIS) Controls Version 8. The CIS Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. In this post I discuss what I see in my work with clients regarding Control 02 - Inventory and Control of Software Assets.

Many of the clients I work with are startup companies that have amazing technologies and services but don't have mature information security programs in place. They often don't know which information security framework to follow or how to implement them. Some frameworks are either too vague or too long and detailed to be useful. That's why I recommend the CIS Controls to my clients to help them get started on their information security journey. The CIS Controls document offers concise and specific direction for high level executives and for information technology and security professionals.

The CIS overview for Control 02 - Inventory and Control of Software Assets is - Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Controls 02 includes 7 sub-controls or safeguards, as the CIS Document refers to them. They are:

2.1 Establish and Maintain a Software Inventory

2.2 Ensure Authorized Software is Currently Supported

2.3 Address Unauthorized Software

2.4 Utilize Automated Software Inventory Tools

2.5 Allowlist Authorized Software

2.6 Allowlist Authorized Libraries

2.7 Allowlist Authorized Scripts

Why is Inventory and Control of Software Assets critical? A complete software inventory is critical in preventing attacks, the CIS document states, as an organization cannot protect against attacks if it doesn't know it has vulnerable software. With a complete software inventory an organization knows if it is susceptible to new vulnerabilities, particularly zero-day exploits. It can then take appropriate and quick action to protect or remediate the vulnerable software.

Flower Pots at the Hub

On a recent SOC 2 gap assessment, the client gave me a demonstration of their services. This is important to understand the infrastructure and software used in support of their services. The company offers several Software as a Service (SaaS) products. Some of the services are restricted to allowed IPs via VPN connections. One, however, is a public facing web application that the IT and IT security managers were unaware of, an unpleasant surprise for them.

The web app, it turns out, is a special project of the semi-retired company founder. It has a niche but lucrative customer base. A developer, who reports directly to the company founder, is dedicated to the project and is responsible for the web servers that host the application as well as the database servers supporting it. The servers are not part of the official IT system inventory, nor is any of the software installed on the web and database servers. As part of the assessment, it was important to find out what was going on. The IT and IT security managers were eager as well.

I instructed the developer to use RDP to connect to and logon to one of the web servers. And what do we find...a Windows 2008 server, which went end of life almost two years earlier. The IT managers were visibly stunned at the discovery. The server was running IIS 7, also end of life. A quick SSL Labs test of the server's URL showed it still used SSL 3.0, which was deprecated in 2015. This web server had been vulnerable for years to a number of critical vulnerabilities and could have been compromised...maybe it already was. Just as troubling is that the IT and IT security teams did not know about these servers. Nor did they make much of an effort to find out.

How did the IT and IT security teams not know about these systems and the older software on them? This is more common than you might expect. When we do a walkthrough of services with clients, we uncover a lot of hidden secrets on company networks, pet projects for which the regular rules don't apply, orphaned systems that no one manages. All waiting to be exploited.

We investigated why these systems and software were not inventoried. The company has an inventory tool in place that scans the network every week for hardware and collects software. After just a few minutes, we learned the system and software inventory tool was misconfigured. The subnet with the servers was not included in the inventory scan. Further investigation revealed additional active subnets were missing from the regular scans as they were thought to be unused. The problem was the staff accepted the results of the tool without comparing them against other sources, including their own list of active networks and their list of services.

The IT and IT security teams got right to work confirming all of their subnets were included in the inventory scans and vulnerability scans, even the ones that were previously identified as unused. Rather than ignore the unused subnets, they were set up with their own scans to identify rogue systems in the future. Checking back on this a few hours later, several other special project servers with older operating systems and software were identified. The IT and IT security managers were clearly frustrated.

What do the IT and IT security teams need to do? They need to require in policy and implement CIS Control 02 and its sub-controls. Many people in the field think this is busy work and a waste of time. It simply points to their lack of understanding information security fundamentals. You can only protect what you know about. To secure company and customer data it's imperative to maintain a complete software inventory. It's easier for smaller environments, more challenging for larger environments. Still, there are many automated tools available that collect system and software, some of which are free. Manual reviews can be done in smaller environments. Spot checks can be done in larger environments. Regardless, this task needs to be assigned to and owned by someone or a team.

In support of the sub-controls for allowing only approved software and scripts, there are many tools companies can leverage for approving and blocking software so only the software that the IT department approves can run on systems. Most operating systems have this functionality. Endpoint Detection & Response (EDR) solutions also offer this functionality and provide additional security protections against malware and intrusions.

Implementing CIS Control 02 and its sub-controls will help protect your network and data. The next time there is zero-day vulnerability, you can review your current and complete software inventory and know which systems, if any, are affected. You can take action to remediate the vulnerability and secure your environment.

Next month, I'll discuss the Center for Internet Security Control 3 - Data Protection.

Notes from the Field - CIS Control 01 - Inventory and Control of Enterprise Assets

2021-11-20T21:53:00.015-05:00

The Center for Internet Security released Version 8 of its CIS Controls document in May 2021. This is the first in a series of posts in which I discuss the CIS Controls in regard to what I see in the field as an information security auditor working with clients. If you are not familiar with the Center for Internet Security, it's a non-profit organization dedicated to making "the connected world a safer place..." The Controls document includes 18 information security controls that all organizations and information security professionals should understand and implement to protect their data, networks, systems, and other resources.

A Bee Collecting Inventory

The clients I work with often don't have mature information security programs in place. They may have some good controls but are overwhelmed from trying to understand all the different things they need to do to protect their systems and data. There are so many resources out there that are hundreds of pages long for specific topics. They don't have the time to read them or the expertise to understand them. Vendors try to push them into buying products they don't need or don't have the resources to manage. Where do they begin?

I recommend they start by reading the CIS Controls. It's a concise, high level document about information security that executives can understand and also has specific control details that experienced information technology and security staff can run with to properly secure their environments.

Let's start with Control 01 - Inventory and Control of Enterprise Assets. The CIS overview for this control is - Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

Control 01 includes 5 sub-controls or safeguards, as the CIS Document refers to them. They are:

1.1 Establish and Maintain Detailed Enterprise Asset Inventory
1.2 Address Unauthorized Assets
1.3 Utilize an Active Discovery Tool
1.4 Use Dynamic Host Configuration (DHCP) Logging to Update Enterprise Asset Inventory
1.5 Use a Passive Asset Discovery Tool

Why is Inventory and Control of Enterprise Assets important? Understand that enterprises can only defend the assets and data they know about. Organizations need to know what they have, where they are, and how they are protected. Newly deployed systems may not be fully secured and are subject to attackers gaining a foothold in a company's environment.

When I meet with clients they all say how important information security is and that they take it very seriously. They may have advanced tools to protect their networks. But when we dig in and take a look at their network and systems, often they don't have an accurate inventory. They may use one tool for cloud systems, another tool for on-premises servers, another for network gear. They may have yet another for tracking laptops and desktops. Different people are responsible for the different tools. One staff member may be very diligent about maintaining an accurate inventory, another person may not consider it important and a waste of time. Each person follows different processes. Often no one is coordinating and overseeing their activities.

I recently conducted a gap assessment for a client that does not have a mature information security program in place. The IT Manager was particularly concerned about ransomware attacks as he knew people at other organizations that had been hit by them. He said the fear of a ransomware attack kept him awake at night. Reviewing their documentation and processes, I observed they didn't maintain a definitive system inventory. The IT Manager stated that maintaining an inventory wasn't a priority as the IT team was focused on sophisticated security tools, such as an intrusion detection and prevention system and a SIEM for logging and alerting.

More Inventory Work

It soon became apparent how their lack of an inventory process left their systems and organization vulnerable. Without a definitive list of servers, laptops, workstations, we had to rely on Active Directory but it contained many systems that were no longer in use. The company also had stand alone systems and Linux servers that were managed by various individuals, independent of the IT department. They didn't know how many. In a conference room with the IT Manager and IT staff, we reviewed the Windows Server Update Services (WSUS) console to determine the patch level of Windows servers and desktops. We compared the list of systems in WSUS against the systems listed in Active Directory. I identified a number of systems in Active Directory that we could not find in the WSUS console. Not a good sign. I could see why the IT Manager had insomnia. A lack of inventory results in serious control gaps.

I asked the lead systems administrator to use RDP to connect to one of the servers not listed in WSUS. It was a member of a HyperV cluster on which many of their production virtual machines were running. We looked at the Windows Update history. The server had not been patched since 2015. Six years had passed since anyone installed security patches on it. That's really bad but not the first time I've seen something like this. Just as concerning is that no one had noticed in all that time. The IT Manager was visibly upset and incredulous. He stammered and said it was some sort of mistake. He looked around the room. He and his team are on top of these things, right? They patch their servers regularly or so they thought.

We also found the server did not have anti-virus installed on it. The systems administrator RDPd to the second server in the HypverV cluster. Same results - last security patch was six years ago and no anti-virus installed.

The IT Manager said "they are only HyperV hosts, not a big deal." I replied that it was as big a deal as it could get as many of their production virtual machines were running on the HyperV hosts. The hosts were a prime target for ransomware gangs. If the HyperV hosts had been compromised, the company wouldn't be able to do business for days or weeks until the IT staff could recover the systems from the attack - if they could recover them. They'd likely need to bring in security consultants at great expense to secure their environment and do a forensic analysis.

Many of the company's hundreds of employees wouldn't be able to get any work done during that time. A ransomware attack could have a huge impact on productivity, cost, and company reputation. For all the IT Manager knew, the systems were already compromised as there were no security tools installed on the hosts that could alert the IT staff of potential attacks. We were just getting started with this audit and the first two systems we reviewed lacked controls. What else would we find? How could they install their IDS/IPS and SIEM tools on systems they didn't know about? The IT Manager agreed that a solid inventory of systems is important in support of an organization's security posture.

So what do the IT Manager and the IT staff need to do? They need to require in policy and implement procedures to maintain a definitive inventory of all assets - on premises and in the cloud, as well as remote end user systems. They should review and update the inventory at least quarterly, preferably monthly. They need to know about every system and network device so they can protect them. That means following Control 01 and its sub-controls, using automated tools to inventory their network and systems. They must manually verify their inventory is accurate as automated tools can fail or be misconfigured, returning incorrect results. The IT staff need to compare their inventories against the results of assets identified in NMAP and network vulnerability scans. This company needs to assign owners to these processes and to the assets to verify the inventories are current and continuously updated.

Once the company has an accurate inventory, they can determine how to properly protect the systems. They can make sure that the systems have the latest security patches, have antivirus installed, a host intrusion detection system installed. They will need to do periodic status checks of the security tools on all systems. The IT Manager can then sleep better at night, knowing all of the company systems are accounted for and secure as that's the first step in protecting company and customer data.

Next month, I'll discuss the Center for Internet Security Control 02 - Inventory and Control of Software Assets.

The Center for Internet Security Controls

2020-10-25T21:08:00.011-04:00

Where can individuals and companies go to get a list of specific information security that they should implement?

Official frameworks for NIST, SOC 2, and others can be hundreds of pages long. They may leave the reader overwhelmed, wondering how to even get started. I recommend my clients read the Center for Internet Security (CIS) Controls to learn about about specific controls and also to understand the big picture in terms of information security.

The CIS Controls V 7.1 is a free 78 page document that outlines 20 controls that "collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks." The Center for Information Security is a non-profit dedicated to making "the connected world a safer place..." The controls are developed by experienced information technology professionals from a variety of industry backgrounds.

Bridge over the Allegheny River in Pittsburgh

The CIS Controls document includes images and charts that help explain information security at a high level for executive-level readers in terms they can understand. It also contains specific steps so that the readers with technical skills and responsibilities have enough information to move forward.

The clients I work with are often new to compliance frameworks or are smaller organizations. They don't always understand the need to implement some security controls to meet requirements. They may only have a handful of developers and a systems administrator whose experience may be limited to the most basic of security controls. They know they don't want their applications and servers to get hacked. But they don't know what to do beyond having proper firewall rules, patched systems, and strong passwords to protect their environment.

Some clients undergo annual pen tests of their web applications. The rest of the time they are focused on continuously updating code and running their business. They don't know why it's necessary to have an up to date inventory of systems or why they need file integrity monitoring.

The flip side of that are larger companies that have big IT and information security departments with dedicated teams that work in silos. While the individual team members are very experienced and skilled in specific control areas, they may not be knowledgeable or even aware of control topics outside of their specialization. The CIS document brings it all together.

The CIS Controls provides the 20 controls in order so that management, information technology, and information security staff can see a clear roadmap. The document organizes the controls into three areas – Basic, Foundational, Organizational. Inventory of assets and software fall under Basic. Boundary Defense and Data Protection fall under the Foundational controls category. Incident Response and Management are an Organizational control. Let's take a look at the entire list.

Basic Controls

1. Inventory and Control of Hardware Assets

2. Inventory and Control of Software Assets

3. Continuous Vulnerability Management

4. Controlled Use of Administrative Privileges

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational Controls

7. Email and Web Browser Protections

8. Malware Defenses

9. Limitation and Control of Network Ports, Protocols and Services

10. Data Recovery Capabilities

11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

12. Boundary Defense

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

16. Account Monitoring and Control

Organizational Controls

17. Implement a Security Awareness and Training Program

18. Application Software Security

19. Incident Response and Management

20. Penetration Tests and Red Team Exercises

Each control is listed with a short explanation and why it is critical. It also explains how hackers can take advantage when the control is not in place. Each control includes a chart with sub-controls. A Procedures and Tools section for each control provides additional recommendations as to which security tools would be useful, such as Intrusion Detection Systems/Intrusion Prevention Systems for Control 12 - Boundary Defense.

The CIS Controls document states that while these are the 20 controls all organizations should implement, they are not a one-size-fits-all-solution. You must understand them in context to what is critical to your business and take into account how the controls may impact your operations.

The controls includes Implementation Groups with sub-controls that apply to organizations based on their size. Implementation Group 1 is for small business. They would implement sub-controls based on the data they are protecting and their staffing resources.

Implementation Group 2 is for medium-sized organization that have dedicated IT departments and more resources. They would implement more sub-controls than small business.

Implementation Group 3 is for larger companies with large IT departments, expertise in information security, and manage more sensitive data. They would implement all of the sub-controls for each major control. For example, for Control 4 - Controlled Use of Administrative Privileges, a small company would implement only 2 of the 9 sub-controls. A large company would implement all 9 sub-controls.

Whether your are an individual just getting started in information security or a seasoned professional, the CIS Controls document is a great resource. I frequently reference and share it. It distills principles and practices from cybersecurity books and frameworks into 20 succinct and easy to understand controls. You can obtain the CIS Controls at:

https://www.cisecurity.org/controls/

Passing the CISA Exam

2020-06-30T21:47:00.006-04:00

Why Take the Certified Information Systems Auditor Exam?

More career opportunities and higher salary are the most compelling reason to obtain the ISACA CISA certification. As of this writing, a search on Indeed.com for positions that include the word CISA returns 4,309 job postings in the United States.

And the positions generally pay well. A search on Glassdoor reports that the average annual salary for an information security auditor is $99,834. Some will pay much less and some will pay much more.

Having the CISA certification does not prove that you are an expert. It does, however, demonstrate that you have a certain level of knowledge required to work in the information security field. Many employers encourage it or require it for their auditors. It lends credibility to the holder of the certification. That's important, especially if your company bill's out your services at a high rate.

How Difficult Is The CISA Exam?

The CISA exam can be very challenging, even for an experienced information security professional. With 5 or 10 years of experience, a few weeks or months of self-study may be all that is needed to pass. An experienced veteran would have picked up much of the required information from working in the field and being exposed to the concepts over time. For someone new to the field it may require 3 to 6 months of study that includes formal training via an in-person or online class.

In addition to understanding the breadth of subject matter that the exam covers, another challenge is the wording ISACA uses in its questions and answers. Each question usually gives you two obviously wrong answers and two potentially correct answers. The trick is determining which of the two answers is more correct. ISACA uses an approach that, at times, seems to defy logic and real world practices. Once you understand the ISACA approach, however, you can usually identify the best answer with confidence. The best way to do that is via ISACA's CISA test engine - Question, Answers & Explanations Database, which, I cover in the next section.

Study Materials I Consulted

The All In One CISA by Peter H. Gregory - the book is over 700 pages and covers all of the CISA topics. I read this over the course of many months as I had a busy work and travel schedule. It includes practices questions at the end of each chapter. It also has a good appendix that discusses how to conduct a professional audit, which is valuable in itself.
Next stop for me was the CISA test engine - Question, Answers & Explanations Database - 12 Month Subscription from ISACA. I highly recommend it. It's basically a practice CISA test engine. It helps you understand ISACA's approach in the way it asks questions. Sometimes I completely disagreed with their logic but realized I just had to understand theirs to pass the exam. It includes a ReadyScore measurement, based on how well you answer the questions. Once you achieve a ReadyScore of 80% or higher, you're ready to take the actual CISA exam. I used the tool for about 30 minutes a day for about 6 weeks. I then took several full practices exams of a few hours each over the next two weeks.
The test engine revealed that I needed to fill in some gaps. I used the Hemang Doshi CISA Exam - Study Guide to help with that, as it was recommended by posts I read. It's basically a condensed study guide with review questions of 250 pages that focuses on critical exam topics.
I also took the CISA training on LinkedIn Learning as my previous employer gave us free access to it. It contains high level information that is valuable for people who may be new to the field. Experienced auditors and other information security professionals may find it a useful refresher or may skip it altogether.

Experienced auditors with 10 or more years may not need a book or a course. They may be able to pass the exam with the CISA test engine - Question, Answers & Explanations Database.

The CISA is a highly recognized certification in the auditing field and very valuable to an information security professional's career growth and salary potential. An auditor can have a successful career without it, especially if he or she already possesses the CISSP or similar certification. But if you are in the running for a position where other candidates have the CISA, you will be more competitive with it. n

For more information on the CISA certification, requirements, and exam, visit the ISACA CISA web page.

The Million Dollar Information Security Certification - The CISSP

2020-05-04T17:18:00.003-04:00

My colleague and I were discussing how the annual fees to maintain the Certified Information Systems Security Professional (CISSP) credential jumped from $85 to $125 per year. We ended up talking about how much the CISSP has impacted our salaries by comparison, which pleasantly surprised us. We soon felt very grateful instead of resentful.

Since I earned the CISSP five years ago my salary has increased by about 85%. My experience, skills, and work performance played a bigger role in that salary increase, of course. Employers rarely give raises or hire applicants because of a certification or a degree. At the same time, I wouldn't have had the advancement opportunities and salary increases without having earned the CISSP.

My colleague earned the CISSP 10 years ago and he estimates that he has earned about $400,000 more over those 10 years than if he had not earned it. He went from a low level IT position to a director level position four years after earning the certification. By the time he retires, he expects the CISSP will have helped increase his earnings by about one million US dollars or more.

I posted about this topic on a CISSP discussion page. Others wrote about how their lives have changed dramatically and positively by the increase in salary they have attained. One person wrote how he was making $15 an hour a few years before in a low-level IT position. He is now earning close to $110,000 per year, which he credits to attaining the CISSP and the doors it opened for him. He thanks God every pay day, still amazed at how his fortunes have changed.

Another person wrote that immediately after earning the CISSP, a company offered him a position paying $50,000 more per year than he was earning. That's life changing money in one year, not to mention over the course of a year.

There's no guarantee you will earn more money with the CISSP. But if you want to advance in the information technology or information security fields, it's better to have it than not have it. It helps you stand out. In many cases, the certification is a requirement. If someone discourages you from pursuing it, don't let them dissuade you. More than likely, the person feels threatened by a peer trying to advance. This is a normal reaction for a lot of people, particularly those with a fixed mindset. They'll tell you that certifications are a waste of time and only prove you can memorize information and pass exams. They're entitled to their opinion. I don't agree with them. I do know, however, that having the CISSP resulted in a higher salary for me and for colleagues who have it. That makes it very

If you are in the information security field, I highly encourage you to pursue the CISSP. It's the industry standard, required for many U.S. Department of Defense Information Security contracting positions and companies that work with them. For those starting out in the field, the Security+ is a good certification with which to start. Once you have a few years of experience, then pursue the CISSP. The rewards can be personal satisfaction at having achieved it, advancement in your career, and financial security.

Learn more about the CISSP the (ISC)2 website.

Coronavirus and An Emergency Fund

2020-04-09T07:38:00.000-04:00

If there was ever a good reason and time to have an emergency fund, this is it. The Coronavirus has put millions out of work or at reduced pay. This could go on for many months and have a much longer impact on the economy. Congress and the President have agreed on economic stimulus packages that include direct payments and increased unemployment benefits. It could take weeks, however, before the government can logistically distribute the funds. State unemployment web sites are crashing from the the volume of people applying for benefits.

Pattee Library at Penn State in Spring

The unemployment rate was so low a month ago that most people who were looking for a job could easily find one in their field. Companies are laying off hundreds of thousands of workers per week. Finding a job is much more challenging, if not impossible for those who lost their positions. There may not be new jobs or jobs to return to for a long time. The best way to manage a lost job or reduced income is with an emergency fund.

What's an Emergency Fund?

It's enough money you saved up and set aside to cover your regular expenses for 3 to 6 months or longer. The fund is dedicated to emergency use. It's not to be used for a vacation or when you get car fever car. The emergency fund is money readily available in a bank account or money market account. It's not money invested in retirement accounts or tied up in investments in a brokerage account. Why not? Because when you need the money in an emergency, it's likely to occur after the market plunged, like it recently has.

Those investments you were counting on in your brokerage account may be worth 30% or 50% less than they were a month before. You'll be forced to sell the investments at a lower price to raise cash. There may also be tax consequences for selling investments or borrowing from a retirement account.

How Much of an Emergency Fund Do I Need?

In normal times, that depends on what you do for a living and how easy it would be for you to find another job. If you have a stable job working for government or in a field with very low unemployment, 3 to 6 months may be plenty. If you are in construction or a freelancer, you may need to build up 6 months to ride out the lean times. If you are in a niche field where it's difficult to find a position or have health issues, you might need up to 12 months of expenses saved up. During normal times, if there is such a thing, you may be able to pick up part-time work so that you at least have some money coming in until you find a long term position in your chosen field.

Now that we are in the midst of a pandemic, an emergency fund of 12 months may be needed for most people out of work as jobs are scarce. Sure, the government is working to get money flowing to those out of work, but how long will it take? Just a month into the pandemic in the United States, it's been reported that one-third of renters missed their April rent payment.

After the government does get the money flowing, how long can they keep that up before the tap runs dry? When the economy does fire up again, many businesses and jobs may not return. It's best to be prepared for the long haul with an emergency fund.

Benefits of an Emergency Fund

When you have a fully funded Emergency Fund, things that used to be emergencies become manageable events. Unexpected home or car repairs are nothing to worry about when you have plenty of money to cover them. A job loss can be terrifying if you don't have enough saved to pay next month's rent or mortgage and grocery expenses. When you have it covered for 6 or 12 months, you can sleep at night. You can focus your attention on finding a new job. Your job search is not distracted by worrying about keeping a roof over your head and feeding your family.

When you begin to interview for positions again, you won't be desperate. You'll have confidence and flexibility. Desperate people often give off a whiff of desperation to potential employers in interviews. It undermines their ability to obtain a position. If the person is offered the position, the employer may offer you a lower salary if they sense your desperation

When you have an emergency fund, you won't have to borrow against your home, which may be impossible when you are out of work. You also are not forced to sell your home because you can't afford the mortgage payments anymore. Sure, you could sell your home.Consider, however, that when a lot of other people are out of jobs, home values can drop in value. You don't want to be in the position of having to sell your previously valuable home at a much lower price. This is particularly troubling if the value of the home falls below the amount you still owe on the mortgage. This happened to millions of people after the real estate bubble burst in 2008. Many people who were unemployed would have been able to find jobs elsewhere if only they could sell their homes and move. But they were so underwater on their homes, they couldn't afford to leave their home for a job in another part of the country.

Can't Save an Emergency Fund

The Federal Reserve reported that 40% of American adults don't have enough money to cover a $400 unexpected expense. How are they going to save up enough for 6 month's worth of expenses?

Let's start with the people who make a good living but simply live beyond their means. I know plenty of people who make good salaries and have been broke for years. You probably know people like this, too. They usually drive expensive cars and bought more house than they could easily afford. Maybe they take extravagant vacations or they have a lot of student loan debt, too. People have to make sensible choices. Those folks need to get on a budget and see where their money is going. Get rid of the expensive car and downsize to a smaller house. Those two actions can free up a grand or two a month. If you can start banking a grand a month, that adds up very quickly.

Then there are the people who contribute so much to their retirement accounts that they don't have cash on hand. While it's great to contribute the maximum to your retirement account, taking money from a retirement account for emergency expenses later is costly. There is a 10% penalty on such withdrawals (though waved during the pandemic) and you have to pay taxes on that money or pay it back. If you take out a lot at one time, it can potentially put you into a higher tax bracket. Find a balance between contributing to your retirement accounts and having cash on hand for emergencies. Once you get that emergency fund fully funded, max out the retirement contributions again.

Many people don't make much money to begin with and struggle to support themselves. For those who do not earn much money, that's a huge challenge. There are a lot of socioeconomic issues at play, for which there is no solution our society has been able to come up with. Budgeting may help some, but not if you have already cut out non-essentials. Focus on earning more money. That could be from a side hustle or a new skill. Others have addressed it in detail. I highly recommend the ChooseFI podcast for many discussions on this topic.
The goal is to have an emergency fund big enough so that if you are out of a job or have a large unexpected expense, you can ride out a difficult time without borrowing, raiding your retirement accounts, being forced to sell your home or take other actions that will negatively impact your finances.

If you are still employed and don't have an emergency fund, get started today. Conserve cash and cut out unnecessary expenses. That's easier now as there aren't many places to spend money these days. There's no telling how long that those of us who are currently employed will remain so in this turbulent economy. Being prepared with an emergency fund is the best way to manage a downturn.

An Investor Policy Statement Helps Ride Out Coronavirus Stock Market Turmoil

2020-03-15T13:25:00.000-04:00

The S&P 500 Index has dropped 30% or more, as of this writing, since its recent high in February. But I haven't checked my portfolio since early January. Why? I have an Investor Policy Statement that guides me through turbulent market fluctuations like this and I have more important things to focus on right now.


Flowers at Salesforce Park in San Francisco, March 2020.

I've been in self-quarantine for a week since returning from a trip to San Francisco where I may have been exposed to the Coronavirus. My wife has a compromised immune system. As a precaution, she is staying nearby at our friends' Airbnb house that was fortunately not in use. We're focused on staying connected while she is living elsewhere during an unsettling time, avoiding contact with others so she can return home, and obtaining necessary supplies.

The Coronavirus has disrupted life as we know it and sent financial markets into chaos. Unlike the burst financial bubble of 2008, day-to-day life has been completely upended. People are worried they or family members may catch the virus, get sick, and possibly die. Non-essential businesses are closed and people are at home, waiting for this to end.

I've read many posts in the financial groups to which I belong on Facebook by people complaining about how much their portfolios are down and how they are selling stock funds and buying bonds. Or they purchased stocks or funds on the dip only for the market to go lower, causing them to sell at a loss. Or they are asking what they should do. Some are too young to have experienced a bear market before and think they will never recover what they lost. How does one know what to do in times like this?

I know because I wrote an Investor Policy Statement back in the summer. Panics or stressful situations of any kind can impair the mind's ability to make good decisions. The time to make important investing decisions or decisions of any kind, for that matter, is when you are calm, relaxed, and can think clearly, not in the middle of a crises, with the walls closing in around you. That's why it's important to make an Investment Policy Statement. Never heard of one before? Neither did I until I read this post by the Whitecoat Investor. It's basically a roadmap you write for yourself to follow for your finances rather than making decisions based on the news of the day.

Thanks to the post, I learned why a policy is essential to have and decided to document my investment decisions. I documented why I decided to invest in the funds that I did so that I would not second-guess myself when the market drops 30% or 50% or more as it did in 2008. An IPS is also for non-crisis times. It's easy to forget why you decided to invest in something five or ten years ago...or longer. That's particularly true when there is a panic and most people are running for the exits.

So what is an Investment Policy Statement? An IPS is a document in which you write down what your goals are and how you are going reach them. They can be both financial and non-financial goals. It helps to write down why you have particular financial goals as circumstances may change over time. You can change your goals to match. An IPS can be as short and broad or as long and detailed you like. The Whitecoat Investor has 7 sections in his policy. My IPS has five sections. It depends on your own financial situation. My plan includes:

Goals
Emergency Fund
Investing
Asset Allocation
Retirement Drawdown Strategy

Entire books have been written about each one of these topics. This is an overview.

Goals

In the Goals section, I document:

How much I want to accumulate for retirement.
The percentage of my income I will save each year to reach that goal.
The age at which I want to retire or begin reducing the number of hours I want to work.
The expected income I will have at retirement from investments, Social Security, pension, etc.
The kind of life I want to live and how my investments will help me to do that.

Emergency Fund

The Emergency Fund Section is where I document:

How many months of expenses I want to have in a bank or money market account in case of job loss or reduced income.
That the money is not to be invested in anything else, such as an index fund. Many people prefer to invest their emergency fund. I do not. I don't want my emergency fund to drop by 30% or more during a financial meltdown, especially when I need to live off of it.
This section also states that I can't use the emergency fund to go on vacation or pay for regular home maintenance costs.

Investing

The Investing section discusses the overall investment strategy. Again, this is important to document so you aren't wondering in the middle of a panic why you made an investment decision years ago. You can review it to remind yourself. Mine discusses:

What percentage of my income I will save and invest each year.
It states that I will prioritize funding tax-sheltered accounts, such as 401K, 403B, 457B, IRA, Roth IRA, etc. over taxable brokerage accounts.
I state that I select low cost index funds or equivalent exchange traded funds (ETFs) to reduce expenses, which are a drag on returns.

It can also specify the investment return goal and the amount of risk you are willing to take. This helps you decide which funds you choose based on the return you expect and how much risk you can accept. If you invest in real estate or other assets, you can discuss that.

Asset Allocation

This where you get into the details of your selected investments and why. If you invest in real estate, you would include it and how much of your assets are dedicated to it. For Bogleheads like me, you might have a Three Fund Portfolio that looks like this:

70% Vanguard Total Stock Market Index
15% Vanguard Total International Stock Market Index
15% Vanguard Total Bond Market Index

You may have many more investments. In this section you also explain to yourself why you are choosing this allocation. For example, I note that because of a partial pension, I have decided to choose a higher stock fund allocation than I would if I did not have a pension. A younger person may choose to be 100% invested in the Total Stock Market Index. An older person would likely have a much higher bond allocation as they are closer to or in retirement.

This section is where you can also note how you will re-balance your portfolio. Mine will be done with new 401K contributions instead of selling and buying existing shares. I do have a provision that if the market drops by 20% or more, I may choose to sell bonds and buy more of the stock funds. At this point I have not done that. My 401K contributions are still hard at work for me, buying at lower prices. I'm satisfied with that for now.

Drawdown Strategy

The Drawdown Strategy is where you write down the order in which you will draw from your accounts. Many people focus so much on accumulating that they aren't sure what to do once they have reached their goals. Had they thought about a drawdown strategy earlier, they may have planned and invested differently, retired earlier or worked even longer. You want to get this right so your money outlasts you.

Financial planners advise that you withdraw funds from accounts in a specific order such as drawing from taxable accounts first, Roth accounts next, then IRAs, 401Ks, and similar accounts. This way you don't have too high a tax burden early and reduce the size of your portfolio unnecessarily.

For example, you don't want to withdraw all of your money from an IRA or 401K plan the day you retire because you will pay a tremendous amount in taxes. It's best to withdraw it over time so the portfolio continues to grow and you minimize your tax burden.

This section is where you also address when you will begin to receive Social Security benefits. If you begin doing so early, you will reduce your monthly Social Security benefit. If you wait until 65 or 67 or whatever the age is when you are eligible to receive full benefits, you will maximize your monthly payment.

There are other factors to consider as well. If you are in good health and come from a family of long-lived individuals, you may consider delaying Social Security benefits to maximize your benefit. If you are in poor health, it may make sense to begin receiving benefits sooner, rather than later. A bigger payment later isn't useful if you aren't alive to receive it. Writing it all down, helps you see the big picture and make a plan so you aren't trying to keep it all in your head years later or when the market drops by 50%.

The final section of the Whitecoat Investor's IPS is that all changes must wait three months before they are implemented. I think that's great advice. It prevents us from making decisions based on knee-jerk reactions to the news of the day rather than thinking of the long term. I did not include that in my written, as it's an unwritten rule for me, but will add it.

I'm optimistic that scientists will find treatments or a vaccine for the Coronavirus. Hopefully the economy recovers and people who have lost jobs or incomes will return to work quickly.

In the meantime, I'm not panicking about my portfolio. I have an Investment Policy Statement that made sense 6 months ago and makes sense now. I wrote it for the long-term and will adjust when necessary. It allows me to focus on my work and staying healthy, rather than being distracted by every dip or jump of the market.

I highly encourage that you write yourself and Investor Policy Statement for peace of mind when things settle down. Make choices that will help you prepare and ride out future downturns.

The Insider Threat To Your Finances

2018-10-28T20:40:00.001-04:00

In the Information Security field, it’s essential to be aware of insider threats. It’s just as important to know about the insider threats to your finances. In an organization, an insider threat is an employee or contractor who has legitimate access to network resources and can cause damage the network either intentionally or unintentionally. Unintentional insider threats come from IT staff who misconfigure a firewall or the operating system of a computer. The intentional insider threat is someone who may have a grudge against the company and wants to damage it. The person may want to gain financially by embezzling funds or colluding with external individuals who may profit from gaining access to sensitive information. In either case, the consequences can be financially costly and damage the organization’s reputation.

The same goes for your personal finances. Many people are defrauded by people they know — their teenage children, house guests, adult children with substance abuse issues or financial problems. The insider threat can be a spouse with substance abuse or mental health issues. It might be a spouse who plans to clean out your joint financial accounts before a divorce.

There are many unfortunate stories of parents being robbed by their adult children, such as this story of a mother whose son stole $4.5 million from her. The son used a mobile payment app to transfer the money out of her account and into his.

There are also cases of teenagers stealing from their parents. Here is the story of a 13-year-old boy who charged £80,000 to his father’s credit card to fuel a gambling addiction.

Even young children can cause some financial damage to their parents. Read the story about a 6-year-old girl who used her mother’s phone to order $400 worth of toys from Amazon. It turns out to be a cute story, but highlights how quickly and easily parents can be on the hook for big expenses their children incur, thanks to how easy technology has made online shopping.

Most heartbreaking of all is when elderly parents are defrauded of their entire life savings by their adult children. This is a very complex and requires long term planning and legal counsel. The use of what’s known as the two-person rule can protect the elderly parent. The two-person rule requires financial transactions by the adult child be signed off on by a second person, such as a lawyer.

Spouses may be the biggest potential insider threat to your finances. This can be a difficult idea to contemplate or discuss as individuals are expected to completely trust their spouses in order to have a successful marriage. But the stories of people being cleaned out of their finances by a spouse are too many to count. In one example, a woman wrote to MarketWatch’s Moneyist (formerly the Moneyologist) about her husband of 24 years sending over $600,000 to a temple in another country. In a very unusual scheme, an Indiana woman cleaned out her husband’s retirement and savings accounts with the help of the husband’s brother who impersonated him.

There are more extreme cases where people suffer from physical, mental, and financial abuse, such as this UK woman whose husband used money to control every aspect of her life. A Florida woman went from living into a mansion and running a multi-million dollar business to living in a shelter and making $8.25 an hour as a result of her husband’s physical, mental, and financial abuse. He left her emotionally traumatized and with $4 million of debt.

Parents, too, can be the insider threat — to their children’s finances. Like the B.B. King song goes — “Nobody loves me but my mother. She could be jivin’ too.” This woman’s identity was stolen by her mother when she was 11-years-old. The mother racked up $500,000 worth of credit card debt in her daughter’s name over many years. The daughter grew up and became an expert in child identity-theft. It was only at the age of thirty-four, after her mother’s death, that she learned that the woman who raised her was the culprit in her own identity-theft case.

There is no end to the number of ways one can fall victim to being financially defrauded or by people they know. But there are steps you can take to protect yourself from insider threats and reduce your exposure.

Shutdown or Log out of your computer when not using it, particularly when you know guests are visiting. Don’t let them have access to sensitive data such as tax records or online your online financial websites. A guest could easily plug in a USB thumb drive and copy all of your personal files to it in minutes.

Encrypt your computer hard drive. If someone pulls the drive from your system, the person can easily access all of your data if it's not encrypted.

Don’t give your children of any age access to your credit cards or online financial accounts. Most teenage and adult children are trustworthy, but people’s lives can go off the rails in a flash due to substance abuse or gambling addictions.

For guests or young children, create a separate account on your computer so they can browse the web. If you have an old iPad or tablet, let them use that instead of your primary device. Clear any saved passwords for your financial accounts and any sensitive data from it.

Store your important papers such as tax records, financial statements, etc., in a secure place in your home — a safe or file cabinet, not a desk in the guest bedroom.

When it comes to couples, consider using a joint checking account for shared expenses — the mortgage, car payment, insurance, groceries, and other regular expenses. Each person in the marriage should also have a separate account that the spouse does not have access to. It should contain enough to get you through at least a month of expenses, preferably more. The funds not only provide for some financial security but also as a fund to escape physically or emotional abuse relationships. Persons in such situations should consult the National Domestic Abuse Hotline.

Review your bank, credit card, retirement, and other financial statements regularly. Be transparent about this and do it together with your spouse. Each person will know everything that the other is doing and can help keep everyone on the same page financially. It can help build trust and alleviate suspicion. As the saying goes, trust but verify.

Review your credit reports each year or more often to determine if any unauthorized accounts have been opened in your name or your spouse’s.

Put a freeze on your credit so others do not open accounts in your name. It’s now free to do so.

Stay on top of your financial matters.

Photo Credit: Illuminati by Thought Catalog

Protecting Your Online Financial Accounts

2018-10-10T21:34:00.001-04:00

There’s almost no limit to the number of ways cyber criminals can steal our sensitive information and hack our systems. It seems that each week brings more news about large companies announcing that customer data was accessed by hackers. In the past month, both Google and Facebook acknowledged that customer data was compromised. In Facebook’s case it was data of over 50 million people. Google reported 500,000 customers were affected. Here are effective and simple things you can do that will go a long way toward protecting your online financial accounts:

Browser

Use a different web browser for your financial accounts than you do for Google, GMail, Facebook, Amazon, and other web sites.
If you use Chrome, for example, for your regular web browsing, use Firefox or Safari for your online financial accounts. It prevents hackers from taking advantage of the vulnerabilities related to using one browser.
Clear your history or cache before and after using the browser to access your accounts.

Accounts and Password

Use a different password for each of your financial accounts.
Use different passwords for your email and Facebook accounts. Facebook is a big target for hackers. If they obtain your Facebook password, the next step is your email account. From there, they target your bank accounts. By using different passwords, you’re adding an extra layer of protection to your important financial accounts.
Definitely don’t use your Facebook password for your online financial accounts. Facebook is a huge target. As mentioned earlier, 500 million accounts were recently compromised. If cyber criminals get your Facebook password and it’s the same password as your financial accounts, you’re risking your wealth for convenience.
As an extra measure, consider using a separate email account dedicated for your online financial accounts.
Use complex passwords.
Change your passwords for all accounts at least once a year.
Use multi factor authentication - a password and then a code texted to your phone.
Use a password saving app like Last Pass or the browser’s built in password saving mechanism. There is a risk that if someone hacks your system, they have access to all of your accounts via the saved passwords. That risk, however, is offset by not using the same password for multiple sites.
If you do want to enter passwords manually, use a pattern that is hard for password cracking applications to guess but is easy for you to remember.

Remember The Basics

Install anti-virus software on your computer and set it to auto-update each day. Windows now has Defender built-in. Most people with Mac OS do not have anti-virus. That historically has been a safe bet. But everything is secure until it isn’t. Don’t wait for an outbreak or for data to be encrypted by cyber criminals. Install Symantec and McAfee antivirus programs on your Mac.
Avoid free antivirus software from dubious vendors. You get what you pay for.
Set your Mac or Windows computer to automatically install operating system updates.
Don’t use an administrator account for your day-to-day tasks on your computer. Use an unprivileged account.
Definitely don’t let your minor child have an administrator account on your computer, especially not the computer you use to conduct financial transactions.
Use a password to log on to your computer. The last thing you want is a house guest or the babysitter accessing your sensitive files.