The first action is to gain command of the facts. This entails acquiring the data on information assets to support a company-specific risk profile; building a consensus with the business on what matters and on the impact of security compromise; and developing a planning tool that includes corporate and industry data.
The second action is to get business leaders to own risk. This entails advocating for the mind-shift that business owns IT security risk; building key alliances with the business; run security exercises, games and simulations; and develop strong stewardship policies and tools. The third action is to embed security into key processes. This involves embedding safe coding practices into the software development processes, including criteria into vendor due diligence, building consultations into new business initiatives, and getting involved early in mergers and acquisitions. Fourth, a CISO should run IT security like a business. This entails developing financial discipline to tie budgets to business impact, developing sophisticated resource management skills, and building strong project management capabilities within information security. Fifth, a CISO should put together a technical and business-capable team. This involves changing the game with competency models that balance technical, business, and interpersonal skills; applying model and layout career paths to retain those who can represent the CISO; and investing in leadership and management for the CISO and direct reports. The sixth action is to communicate the value of security. This entails building a value proposition for how IT security helps the business grow and compete, communicating that value consistently, and engaging with stakeholders to express the value of security in terms that have meaning to them. ...And the seventh action is to organize for success. This involves assessing the workload on the IT security team, developing a clear reporting path for the CISO, and instituting mechanisms that put the CISO and team in direct contact with corporate leaders. Margaret Rouse writes that homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form. Homomorphic encryptions allow complex mathematical operations to be performed on encrypted data without compromising the encryption.
Homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form. Homomorphic encryptions allow complex mathematical operations to be performed on encrypted data without compromising the encryption. In mathematics, homomorphic describes the transformation of one data set into another while preserving relationships between elements in both sets. The term is derived from the Greek words for "same structure." Because the data in a homomorphic encryption scheme retains the same structure, identical mathematical operations -- whether they are performed on encrypted or decrypted data -- will yield equivalent results. Homomorphic encryption is expected to play an important part in cloud computing, allowing companies to store encrypted data in a public cloud and take advantage of the cloud provider’s analytic services. Here is a very simple example of how a homomorphic encryption scheme might work in cloud computing: •Business XYZ has a very important data set (VIDS) that consists of the numbers 5 and 10. To encrypt the data set, Business XYZ multiplies each element in the set by 2, creating a new set whose members are 10 and 20. •Business XYZ sends the encrypted VIDS set to the cloud for safe storage. A few months later, the government contacts Business XYZ and requests the sum of VIDS elements. •Business XYZ is very busy, so it asks the cloud provider to perform the operation. The cloud provider, who only has access to the encrypted data set, finds the sum of 10 + 20 and returns the answer 30. •Business XYZ decrypts the cloud provider’s reply and provides the government with the decrypted answer, 15. Respectfully, lots of us work in large organizations that have very porous boundaries that with mobile device support and the arrival of "the Internet of things" will undoubtedly lead to even further perimeter fragmentation. How do we move from a mentality of "Not if, but when" to one of "it's happened" to understand the compromise and mitigate loss as efficiently as possible?
1. Overreliance on security monitoring software: The good news is that many organizations are beginning to actively monitor their networks in response to all the data breaches in 2014. Third-party vendors offer Security Event and Incident Management (SEIM) software that you may purchase, install, and use to seemingly monitor the entire network with one tool. The bad news is that these tools require considerable customization and management to work effectively. Your network devices all need to be able to connect and communicate with the software. One tool may not do it all, so be careful of putting all your eggs in one basket. Mitigation strategy: Understand and use a diverse portfolio of monitoring tools.
2. Inadequate system logging: Software and network devices allow for incident and event logging. However, people often do not enable the logging option. If enabled, the logs are frequently not saved or reviewed by management. Yes, logging can be a tedious process. When not configured correctly, logs can bog down your email inbox. Mitigation strategy: Consider third-party software that allows you to refine the logging process and alert your personnel to significant incidents and events. Combined with a well-managed SEIM tool (see caveat above), strong logging practices can help diversify your system defenses. 3. Technology innovations that outpace security: Consumer demand for the latest and greatest software package often drives developers to take shortcuts, use outdated code, or not fully test new products in order to get the product to the market. This can result in software put into production before it has been sufficiently vetted against security vulnerabilities or system compatibility. Organizations that use the most recent version of a product should test it extensively before installing it into production systems. Mitigation strategy: Follow a “non-first adopter” policy and allow the software to prove itself for six months to a year before using the product. For organizations that develop software, we encourage you to keep a specific focus on security from the start of the development process. 4. Outdated operating systems: Related to #3 above, older versions of software do eventually become unsupported by the vendor. Vulnerabilities may go unpatched, and they’re often the first spot hackers will focus on when trying to obtain access to your systems. One such vulnerability is the continued use of Windows XP. It went into unsupported status in April 2014, yet an unsettling number of businesses still rely on XP as their main workstation operating system. Similarly, Windows Server 2003 is scheduled to go into unsupported status starting July 2015; it is also heavily used in the business segment. Mitigation strategy: Track and plan for these major system changes to prevent systems from running unsupported software. 5. Lack of encryption: The first line of defense for preventing unauthorized access to your data is to protect it while at rest and while in transit. Removable media (USB thumb drives, CDs, etc.) should not allow data to be placed on them without requiring the user to create an encrypted folder on the device or encrypt the entire device. Mitigation strategy: Use third-party software tools to aid with encryption. These tools can scan outbound emails for sensitive data and require the sender to use a secure file load site or to encrypt the data before transmission. Laptop hard drives should have hard-drive encryption that only unlocks the data after a user successfully logs into the device. 6. Data on user-owned mobile devices: The battle between company-owned devices and user-owned devices will continue in 2015. Employees increasingly want to use their own mobile devices such as tablets and smart phones to gain access to your systems through the Internet. Mitigation strategy: Third-party applications allow for each user to have a “sandbox” of data (a secured segment of your organization’s information accessible to your mobile device), including email and files stored in a secure directory on your organization’s system. Employees should only be allowed to achieve access through usernames, passwords, and possibly two-factor authentication. If the mobile device is lost or stolen, your organizational data would remain sitting on your network and not the device, reducing the risk of lost or breached data. 7. IT “diplomatic immunity” within your organization: We often see members of IT management and System Administrators who feel exempt from the system access requirements detailed within their organization’s policies (non-expiring passwords, for example). These IT employees may reason that they’re vetted. But these employees’ accounts may also have high levels of access and permissions, which makes them high-value targets for hackers. Mitigation strategy: Complete user reviews of accounts and settings at least twice per year. To run this review, use a member of the security or audit team, or another qualified person outside of IT, to help verify that all personnel comply with IT policies. 8. Lack of management support: The values that create a strong security environment should come from management and be considered a part of the organization’s culture. Investing in IT security early on will reduce the costs to both your organization’s finances and reputation if a breach were to occur. Mitigation strategy: Educate and encourage members of management who understand the need to protect systems and are able to communicate that need throughout the organization. 9. Challenges recruiting and retaining qualified IT staff: Finding and keeping qualified security professionals is becoming difficult with the increased demand for dedicated IT security departments within companies and organizations. We have seen aggressive recruiting by competing companies within the same geographic area. Heavy turnover in IT security diminishes an IT team’s effectiveness as new personnel must learn systems, organizational culture, and business processes to fully grasp the risks of the organization. Mitigation strategy: Focus on capabilities, training, and retention to reduce turnover and develop a strong IT security team. 10. Segregation of duties: In accounting, the proper segregation of duties is a cornerstone concept. Our IT auditors see a strong need for the same concept to be embedded into IT departments. The umbrella IT security strategy and responsibility should not fall solely to a Systems Administrator or Chief Information Officer with many other duties and potentially conflicting interests. Mitigation strategy: Security should belong to a dedicated role, such as a Security Analyst or Chief Information Security Officer. In some situations, IT security is independent of the IT department and reports directly to a board or Chief Executive Officer, much as an internal audit department would do, to allow for independent assessments, objective monitoring of systems, and the ability to report without prejudice. |