Welcome back to Federal Friday with a happy belated 4th of July. I hope all of you out there had a fantastic holiday and were able to spend some quality time with friends, family, and some fireworks. For this week's blog I wanted to focus on 3 topics that really grabbed my attention over the last two weeks.
NIST needs your help. In a blog post on Federal Technology Insider Patrick Gallagher, Under Secretary for Standards and Technology and Director, NIST addresses the need to protect critical infrastructure in an ever changing cyber landscape. This stems from Executive Order 13636 which was delivered earlier this year and tasked NIST with focusing on creating a cybersecurity framework to protect the nation's infrastructure. NIST is taking a very Rapid7 approach to this in that they are using the community-at-large to help create this framework. The thought here is to use the existing standards in conjunction with feedback from organizations across many sectors. This collaboration was first realized at 2 sessions that were held in D.C and Pittsburgh and resulted in a draft of the framework that was published on July 1. The draft came up with the following list of 5 core cybersecurity functions:
o Gaining the institutional understanding to identify what systems need to be protected, assess priority in light of organizational mission, and manage processes to achieve cost effective risk management goals
o Categories of management, technical, and operational activities that enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components.
o Activities that identify (through ongoing monitoring or other means of observation) the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events.
o Specific risk management decisions and activities enacted based upon previously implemented planning (from the Prevent function) relative to estimated impact.
o Categories of management, technical, and operational activities that restore services that have previously been impaired through an undesirable cybersecurity risk event.
They have a 3rd workshop going on this week in San Diego with sessions being focused on population a matrix for these functions. You can download a full copy of the draft here.
Additionally I found a DHS Whitepaper on Cybersecurity Questions for CEOs. The spotlight here is around the dollars affected by compromised records, and highlighting dollars always seems to grab management's attention. The paper says that the avg. cost per compromised record was $194 and the resulting cost of lost customers is estimated to be around $3 million. What I found interesting here is that the questions seem like obvious questions to ask, especially given today's cyber threat levels. However, the reality of the situation is that many organizations still do not address their Cyber Risks until it is too late. Aside from simply listing the questions they also listed 8 Key Cyber Risk Management Concepts. These concepts are a great place for CEOs and upper management to start incorporating themselves into Cyber discussions within their organizations. The most effective way to apply a comprehensive approach to your security program is to use the points listed below, SANS Top 20 Critical Security Controls, FISMA and PCI standards in conjunction with each other. While this is a ton of information it will ultimately come down to how your organization can digest the information and prioritize accordingly.
Key Cyber Risk Management Concepts
- Incorporate cyber risks into existing risk management and governance processes.
- Elevate cyber risk management discussions to the CEO
- Implement industry standards and best practices, don't rely on compliance.
- Evaluate and manage your organization's specific cyber risks.
- Provide oversight and review.
- Develop and test incident response plans and procedures.
- Coordinate cyber incident response planning across the enterprise.
- Maintain situational awareness of cyber threats.
The DHS whitepaper was a great lead in to another blog I was reading on Phishing n the Harvard Business Review by Tom Cochran titled “Why I Phish My Own Company.” Mr. Cochran, who currently works in the private sector, was recently in charge of digital technology at the White House. While there, he had very robust budgets when it came to security, but in venturing out into the commercial world he found that security was not the top priority and subject to a number of variables that could knock it further down the list. It's important to note that in order for him to do what was best for his organization there would have to be a huge change in security policies, and nobody likes change. To get the necessary policies in place he needed to show that there was more pain in not changing the existing policies. When Mr. Cochran kicked out his first phishing email he had almost half of his employees open it. Of those that opened it, 58% clicked on the fake malicious link it contained. He was now armed with the ammunition that would force the change as the evidence was undeniable. Unfortunately this scenario plays out on a daily basis within public and private organizations, and with a complacent employee base the likelihood of an attack via phishing, or spear phishing, is very high. The moral of the story here is to educate your employees, run social engineering campaigns, and be clear about the need to institute policies. The Social Engineering Campaign feature within Metasploit Pro is a great way to start Managing Your Phishing Exposure. You can read Mr. Cochran's full blog here.