Integrity Blog

Have you heard the latest news about NIST, PCI DSS 3.2, Ransomware, and Verizon 2016 DBIR?

You’ve heard it before, perhaps in passing, perhaps as part of an audit… You need to pay more attention to rising cyber threats. Get involved in information sharing groups. Spend more time determining what could be potential risks to your organization. In addition, ensure you stay atop regulatory and industry requirements.

O.K. … Easier said than done. Even as a cybersecurity professional, this humble blog writer can find it a challenge to find time to read the latest security news and stay knowledgeable about changes to regulatory and industry requirements.

So, for this posting, I thought it would be refreshing to look at some of the latest news.

Have you heard…

National Institute Standards and Technology

The National Institute of Standards and Technology (NIST) has started the process to revise one of our favorite references, the NIST Special Publication (SP) 800-53 (revision 4) “controls catalogue.” According to multiple sources, SP 800-53 revision 5 will provide more focus on continuous monitoring and anomaly detection.

PCI DSS

On 28 April, the PCI Security Standards Council released version 3.2 of the PCI Data Security Standard. Version 3.1 will expire on 31 October 2016. Included in this new version are multiple clarifications and expanded requirements. For example, the requirement for multi-factor authentication is being expanded to address personnel with non-console administrative access to the cardholder data environment. For more about version 3.2, see the press release at:

PCI DSS 3.1 Press Release
Verizon 2016 Data Breach Investigation Report

The Verizon 2016 Data Breach Investigations Report has been released. The report presents some sobering statistics, such as 63% of confirmed data breaches involve weak, default, or stolen passwords. To access the report, visit:

Verizon 2016 DBIR
Ransomware

Ransomware continues to increase as a threat to organizations, primarily spread by criminal organizations using exploit kits. It’s easy money. CryptoLocker, CryptoWall, Locky, and TeslaCrypt are some of the ransomware names we’ve been introduced to over the past couple years. Now, CryptXXX is gaining steam. Of note, Kaspersky Lab has published a utility that supposedly will recover files lost to CryptXXX infections. Nonetheless, it’s best to try to avoid ransomware all together. Keep patches up to date, continue training employees about phishing and other social engineering tactics, and ensure you are routinely backing-up critical data.

The Cybersecurity equation of Risk vs. Reward

Information security professionals must understand their role in helping business leaders balance the risk vs. reward equation when evaluating cybersecurity efforts. They must also be willing to exercise flexibility in their personal opinions and help business leaders understand IT risk management. Doing business comes down to one simple question. How much money are you willing to lose in an attempt to make even more money? In other words…how much risk can you stomach? Doing business in the digital world today involves more risk than ever before. Cyberattacks are simply a cost of doing business.

Information security professionals are responsible for helping business leaders understand cybersecurity risk and how to properly mitigate it. When this occurs, they can be a very useful resource. But, if they do not understand that responsibility, they become a liability to the organization they are trying to help. Security professionals must understand that business decisions must be made by business leaders.

Assisting with Business Decisions

If you are an information security professional, you can let down your leaders in several ways. The first is to attempt to make business decisions. Saying “no” because something is too risky isn’t your job. You should identify the risk, communicate the risk so executives can understand it, and then provide options for accomplishing the task with less risk. Let the executives make the call. This way you are seen as an enabler of the business and not a road block to progress or change.

Flexibility and Compromise

A second pitfall is to pick the wrong battles. If you are seen as inflexible and unwilling to compromise, you lose the trust and respect of leaders around you. If, however, you display a willingness to negotiate and compromise on a regular basis, the times when you do push back and fight hard for something, your opinions will be respected. If there is a high level of trust, they may even defer to your position simply on that trust factor.

Staying Engaged

A third pitfall is complacency and ineffectiveness. Every security professional comes to a point in their career when their effectiveness seems to be dwindling. For whatever reason, their effectiveness in the organization has diminished to a point where they are no longer making a difference. Sometimes this is because of the individual, sometimes a management change, and sometimes the company’s culture is changing do to growth and maturity. The important thing to do is to find out the reason for the change and try to correct it. Simply going through the motions of security will result in critical failures.

Communicating with Management

Ultimately it comes down to this. Are you still able to recognize and communicate cybersecurity risks in a way that management understands and is able to act on? Are you able to provide solutions that protect the company while allowing it to function and grow? If the answer is “Yes”…then carry on. If the answer is “No”, then you need to dig deeper. What changed? Why? Can you fix the issue? Can you reestablish mutual trust and be effective again?

Information security isn’t about being in control. It’s about helping business leaders make wise decisions based on their knowledge of the business environment and market forces. Information security professionals who understand this and provide value to their business leadership are worth their weight in gold.

Editor’s Note: This post was originally published in January, 2010 and has been updated for freshness, accuracy, and comprehensiveness.
Digital Forensics - Should you do a live analysis of a system while performing a breach investigation?

When I first began dabbling in digital forensics, the year was 1999. At the time it was little more than tepid curiosity for me. It wasn’t but a couple of months before I was thrust into my first “investigation”. The issue turned out to be a non-issue but it sure had us worried. Looking back on my procedure, I still had a lot to learn about digital investigations.

Here we are in 2016 and the practice of digital forensics must continue to change with the advances in technology. We used to think that live analysis of a system was taboo. First rule of thumb was turn it off and write block everything before you attempt to do any discovery. Changes in technology have necessitated a shift in thinking of live acquisitions during a forensic examination. Let’s look at a couple of the scenarios which offer highly compelling arguments for live acquisition.

Commercialization of Localized Encryption

Ten years ago it would have been rare to find a desktop with any sort of local drive or file encryption. Today however, full drive or volume encryption is commonplace. The drive or files to be analyzed may be unencrypted while booted and logged in but will revert to an encrypted state once the system is rebooted. Encryption is the bane of every digital investigators existence. Sure you can get around some of it, but the time and frustration added to your investigation is a reality. (Wouldn’t it be nice if the encryption keys were still loaded in RAM and you could just capture it for future use? JUST KIDDING!)

Use of Volatile Memory for Malware Applications

We used to tweak and tune our machines to scrape together an additional 2 or 3 megabytes in RAM to get an application to run. Attackers typically had to rely on placing some part of their payload on a physical disk to ensure a high rate of success. Today a PC comes with 8, 12 or even 16 gigabytes of RAM, and we have plenty to spare. Attackers have become adept at building small but powerful apps, which are completely memory resident. Shutting down a system may eliminate any evidence that was once there.

Advent of Flash Storage as System’s Primary Storage

Devices often use “blade” type solid state drives (SSD) to replace hard drives. These blade drives use a myriad of connectors, some of which are proprietary. In many cases, you can’t just pull a drive out and stick it in a duplicator. Some of the drives require connectors with special firmware or controllers, which are on the motherboard. Booting to a forensic image on a USB stick may not allow the controller firmware to load correctly, and the drive will not be recognized. Sometimes a live acquisition is the only way to get data.

As you can see, shutting a system down prior to acquisition could cause significant loss of evidence. Our first goal in digital forensics is to preserve evidence. It is equally important to prove what is present as it is to prove what is not present. Rob Lee of SANS once gave a presentation to the ISSA chapter in Des Moines. He explained it well by saying when an EMT shows up at a shooting and the victim is still alive, they don’t worry about contaminating the crime scene when trying to save a life. Their footprints and residual evidence left behind can be identified and explained in the bigger picture. The traces left by our “prodding and poking” of a live system can be tracked and explained once the full forensic detail is laid out.

So the next time you prepare for an investigation, think about this. Would you have a better overall picture of that system’s current state by doing a live analysis and explaining away your tracks, or by shutting it down and doing a more conventional acquisition? And so my dear Watson…what’s your answer?

Quickly discovering and effectively managing a security breach or attack

Build an Incident Response Plan with Integrity

Incident Response

Get our blog posts delivered to your inbox: