Archive for March, 2013

Hacked: A bank is hacked! How bad is it?

Tuesday, March 19th, 2013

Below, you will see a credit union bank that got hacked in Feb 2013 (see bottom center of the picture). If you are a member of this credit union, they would have notified you of the potential hack and advised you to stop using  your card or call them to block your card.

The notification message that reached you probably might look something like below

As an information security expert, you can probably read through the notification document and gather some insights. The following are some of the insights what I have been able to collect - if you have additional thoughts, go ahead and comment them below

1. Information security warfare/protection game plan has now been upgraded to Cyber-crime. Gone are those days where you could block all the atypical ports and you would feel comfy! Traffic now happens within port 80 and payloads are exchanged on port 80! Hackers are designing using ‘conventional/usual paths’ through unusual patterns. It is like saying, “thieves are robbing us and they walking in through the main door and taking stuff(!) out through our main-door”!

2. Regulations such as PCI can give you ‘comfort’ not guarantee. Because PCI is more focused on protecting data through conventional (translation: following usual patterns, for example: blocking usual ports) data-at-risk, data-at-rest and data-in-transit. Mal-wares are unusual beast with unusual patterns

3. These are zero-day attacks and even companies specialized with hacking experts take time to reverse engineer by which zero-day attack would have been few-weeks-attack old

But, however, there is also a positive note to this:

a. Tools such as pro-active IPS (such as FireEye), SIEMs and Teams of collaborating cyber-threat experts message out to each other to warn and identify the symptoms of the pattern

b. Mal-ware hacker psychology has been better understood in the last ONE year - countries have united together to bring down Stuxnet/Grum etc. Of course, countries have leveraged such psychologies to control the turn-out of events. In any case, we are now in a better place than a year or two years ago where we would wonder - “Yes, I see traffic going out to some place on the internet but I don’t know what they are sending in the payload and why they are reaching out”. Now we know that they are reaching out to command-and-control to download additional worms/similar. Now we know there are randomly created domain names and it is hard to detect them and we are collectively bringing those domains down.

c. Last but not the least, there is a considerable education about Mal-ware to collaborate and converge on how to counter these attacks.

d. There are specialized companies with teams to detect such attacks.

What does this mean to Info-sec professionals like us?

a. Need more analysis experts with cyber traffic experience

b. Mal-ware warfare is just beginning - more to come as the ‘cyber surface area’ has just increased with mobile - mobile users, mobile operating system, mobile apps.

c. Lastly, there are more jobs to be created in this field as the warfare gets more tough as it reaches a peak and then probably stabilizes. I am not sure when that ’stabilize’ would happen and what that would mean.

Comments? Thoughts?

COBIT-5 - CIO dashboard

Tuesday, March 19th, 2013

I was looking for a framework that enables me to provide a dashboard at the CIO level. This dashboard, in my vision, would extend the control objectives accross the IT organization from the business alignment through IT life-cycle. COBIT-5 was something that drew my attention.

I did some research on COBIT-5 over the past few weekends and COBIT-5 is quite a progression if you have not matured into COBIT-4.

The following might sound a bit boring but please bear with me here.

As you know, COBIT-5 is not just a risk management framework, it is an overall governance and IT management framework.

At the least, one needs to identify management objectives then define scope (see diagram below) process areas, control objectives. If the process area coverage is too large, you can focus on just Risk Management portion. You can probably focus/pick risk management domains at this time. Then you could leverage the management guidelines (recommended by COBIT-5 handbooks) and develop a maturity road map

Furthermore, you will need to find a balance between Governance (policy compliance and such) vs. Management of IT (plan-build-run-measure and such) layers of COBIT-5. For example, certain areas such as Supply-chain or Infosecurity or DR may need additional emphasis on governance

Specifically, the scope in COBIT-5 has enormously increased which now includes People management, Business alignment etc. and I am not sure if a certain governance team (Infosec team, DR team, COmpliance team) can leverage this alone.  Even, a combined GRC team may find it overwhelming given the current IT spending trend in the industry. I believe it takes a village (or rather enterprise IT) to align with COBIT-5.

COBIT-5 has definitely a good balance of governance (processes to measure IT) and IT management (processes to run IT). So, compared to ITIL, the plus I could see coming out of this framework is, we can leverage COBIT-5 for an executive level dashboard to provide a ‘measured’ view of where each processes are and their overall health. This could provide an overall comfort for a CIO at all times.

Now, you can’t execute this alone in the industry - in my opinion, you need multiple companies adapting this to exchange practice notes and mature together.

How do we do it? I do not have the answer.