Cybersecurity: Top Priorities in 2014Kroll's Alan Brill on Security Frameworks, Supply Chain Risks
Cybersecurity frameworks, supply chain risks and malicious insiders - these are among 2014's hot topics, according to Alan Brill, senior managing director at Kroll Advisory Solutions.
Leading the predictions: Cybersecurity frameworks, such as the one developed by the National Institute of Standards and Technology, will be the de facto standard of best practices for all companies.
"It's useful [to follow the frameworks] because, historically, if we would go into an organization to do a security assessment, the question that everyone always asks is, 'What are you assessing this against?'"
And while there is no "perfect" standard, cybersecurity frameworks represent a certain level of expectation around what organizations should be doing, Brill says.
Using a cybersecurity framework as a baseline for security best practices will prepare companies for questions posed by their board of directors, auditors and customers, he says.
"It's valid for [them] to ask the question, 'Are you doing what you ought to be doing?'" Brill says. "In order to answer that, in part you need a standard."
Other topics included in Brill's forecast: supply chain vulnerabilities and malicious threats, including the unintentional insider.
In an interview with Information Security Media Group about this forecast, Brill discusses:
- Details of the top three predictions;
- The biggest cybersecurity changes of the past year;
- What security leaders can do to address 2014's biggest threats.
Brill is senior managing director for Kroll Advisory Solutions. He consults with law firms and corporations on investigative issues relating to computers and digital technology, including the investigation of computer intrusions, Internet fraud, identity theft, misappropriation of intellectual property, internal fraud, data theft, sabotage, and computer security projects designed to prevent such events. He has worked extensively on developing methodologies for collecting evidence from corporate information systems. With more than 33 years of consulting experience, he has assisted firms with a wide range of technology security issues.
Security's Influence in the Boardroom
TOM FIELD: This is your third annual list of predictions. As you formulated this year's forecast, what surprised you the most?
ALAN BRILL: The thing that was interesting was, if you go back a year or two, we were not hearing a lot of interest in this area, specifically coming from boards of directors, and that has changed radically. The board, in many cases most specifically the board committee at the board, has come to recognize that it can't carry out its judiciary responsibility to the organization without thinking about the subject of how data is used, secured, processed, even destroyed at the end of its useful life. That has been the motivator if you think about it.
It's something where in a new corporation, the board is saying, "We're not just going to assume that everything is okay. We'd like to know that everything is okay and we'd like to have the kind of evidence that some industries are now required to do." That evolution of people listening to what we and others in information security have been saying and getting to the level of the board has been not just a surprise, but it's really been a pleasant revelation.
FIELD: I want to talk about some of the specifics of your predictions. I know we don't have time to get into everyone here, so I thought we might go through the top three. Your first prediction is NIST and similar security frameworks will become the de facto standards of best practices for all companies. I wanted to ask you: don't you find that, with many of these frameworks, they go through so much deliberation that they end up compromised, like a true compromise, and don't really please any one of the constituents but is just enough to satisfy the group mentality and get by? Is that useful?
BRILL: I think it actually is useful because, historically, if we would go into an organization to do a security assessment, the question that everyone always asks is, "What are you assessing this against? Is it what you personally feel is best? Is it the experience in your organization? What's the standard?" You're right - there is no perfect standard and I suspect there will never be. But we do know that the government is basing all the work that it's doing in FISMA on the standard. The NIST standard is there underlying a lot of what we see at HIPAA and HITECH and it does represent a level of expectation ... against what you can measure what you're doing.
Now, how you implement it will always be very much in line with what your organization needs. But those general principles underline NIST, ISO standard and a number of others around. It's valid for a board, auditors, customers and, ultimately, the courts to ask the question, "Are you doing what you ought to be doing?" In order to answer that, in part you need a standard.
Data Supply Chain Challenges
FIELD: Your second prediction is the data supply chain will pose continuing challenges to even the most sophisticated enterprises. You've talked about healthcare. How do you feel about the U.S. healthcare approach to making covered entities more accountable for their business associate security? Are there some tips here that the other sectors could adopt?
BRILL: When I look at this, I think back to a lot of the cases that Kroll handles. Some of these cases involve breaches that have happened and some involve our working with an organization to try to prevent a breach, to try to run tabletop exercises to help them prepare for handling a breach. What we found that's interesting is that many organizations literally don't know all of the other organizations that are supporting their information processing. We find that individual managers and individual employees sometimes are using outside services without telling anybody formally within the organization. It can range from some software-as-a-service, and may be very helpful in something that they're doing, all the way to using personally owned storage, things like Dropbox, iCloud, SkyDrive, an endless number of them, all of which put data that's really the company's data, customers' data or patients' data at potential risk. For a company to ignore all of those connections is to do that company great damage.
What we're looking at in healthcare is a recognition that you can't simply look inside your own organization and say everything is fine. You have to understand the evolution of this whole concept of cloud computing and remote computing to say: Where's our data? Who holds our data? How do they protect it? If there's a problem, would they tell us? Would they do the right thing? Ultimately, if we gave them the data and it belongs to our customers, our customers are going to look to us. They're not going to be satisfied with us saying, "It wasn't really us; it was the vendor we use. They had a vendor that they used and they screwed up. It's pretty sad but not our problem." It is your problem and it's that recognition that's leading organizations to say, "We need to get a real handle on any point in which our data is being handled by somebody else."
Following Healthcare's Lead
FIELD: Not to put words in your mouth, but it sounds like there are some leads that people can take from healthcare, because we've got healthcare organizations in the U.S. going through this exercise now.
BRILL: I don't think that there's any organization right now that would be ill-served by asking those same questions. If you look at the details of HIPAA and HITECH, which have been brought together in something called the final Omnibus Rule ... interesting proportions of that would be applicable to any organization. Those concepts would be of value to those organizations. It represents something of a structure because you can look at all those rules and it comes down to maybe three or four things. First, [it's] having a threat or risk assessment, understanding what the risk is and how to counter that risk. Second, ask questions about how you're securing the data. Third, [ask] questions about privacy. Do you have a program; who is in charge of it; how do you protect privacy; do people understand their individual roles in that within the company? Then breach notification - what happens if something goes wrong? You can't ever be in a position of saying it will never happen to [you] because it does. It happens to people every day.
Malicious Insider Threats
FIELD: Kroll's third prediction is about the malicious insider threat, saying the malicious insider remains a serious threat that will become more visible in 2014. How will organizations address the insider threat? And what about the unintentional insiders, someone that makes a mistake or gets taken advantage of by someone that's malicious outside the organization? What role do you see that individual playing?
BRILL: A lot of this comes from our actual work. We're the guys that get called when something happens. We can do the forensics, we can do the investigation, we can help drive through the noise around an incident to try to get to that root cause. We do find that there are a lot of cases that are ultimately an insider. Part of that is because, over the years, the definition of an insider has evolved. We used to think of it as being a regular employee, but, as we talked about before, there are now a lot of business partners, business associates, who provide services to us and are, relative to the outside world, insiders. There are temps; there are contractors; there are vendors; there's an entire ecosystem of organizations that collectively represent the insider. It's in that ecosystem that we see some of these problems. It could be somebody who's doing this for money. We see information being sold. It can be somebody who's doing it because they have a political agenda, kind of an inside hacktivist, or it could be somebody working with cybercriminals.
The other part of what you said is equally true. Even with the best of intentions, people make mistakes. They will respond to a phishing e-mail that looks so real that it was just something that they had to do. They will visit a website that provides drive-by malware. They will pick up a memory stick that they might have found in the parking lot and try to find the owner by plugging it into their machine, not realizing that one of the tricks the bad guys have learned is to take an infected memory stick and drop it in the parking lot or leave it in a bathroom on an unguarded floor of a building. [They] look at people's better nature, their desire to help people, to start the infection chain.
That's really why I say that no organization, no matter how hard they try, can ever immunize themselves against these problems. That's why it's so important for organizations to be ready for that, to have a plan in place to handle an incident, and then to practice that plan. One of the things that we found is that organizations that have a plan and practice the plan - whether they are practicing it through internal exercises, whether we come in and build a tabletop exercise - when an incident occurs [they] get through that incident far better than those who are trying to learn incident management in the middle of an incident.
Breach Response: One Size Doesn't Fit All
FIELD: I don't want to give away everything from your forecast, but maybe you could give us a hint of what some of the other predictions are. Most important, where can people go to read more about these predictions?
BRILL: The things we're seeing are really related in a lot of ways to what you and I have talked about in the last few minutes. The other side of the coin from protection is the remediation, and we're seeing that there are more standards related to breach remediation. One of the key things we're seeing there is that it's always been assumed for some reason that when you have a breach, one size fits all, because over the years, whenever I've gotten a breach letter, it usually says something like, "We feel terrible about this and we're going to give you a year of monitoring of your credit report." One of the things that we've learned is that sometimes that's a great idea, but in a lot of cases doesn't actually make sense because the kinds of incidents that involve the misuse of that data aren't things that show up on the credit report; things like W-2 fraud where somebody uses your information to get a job, leaves and you end up with a tax bill, or healthcare fraud where they're using your information to literally get healthcare under your name. Those are not going to show up on a credit report.
When an incident occurs that involves sensitive data, we're finding that it's becoming increasingly important for organizations to work with their risk managers, counsel and forensic resources to understand what happened and to base their response and their work with the victims to the realities of the particular situation. That's going to become very prevalent.
Finally, we see a couple of things happening as everybody else [has] in the industry, the so-called cloud phenomenon where more and more things are being done remotely and less and less is necessarily being done within organization or on the desktop computer. The other is bring-your-own-device, and, collectively, these are accelerating and they're going to require companies to think very carefully not just about the technology, but about the legal implications, the electronic discovery implications of these devices, and think about how they can bring them into a reasonable set of compliances with what the company needs, with what these frameworks call for, and still work with the needs of the employee to get their job done.
2014 Cybersecurity Forecast
FIELD: Where can individuals go to learn more about the predictions, and, most important, how should they act upon this information you're giving them?
BRILL: People want to be able to read our predictions and see what we collectively have come up with, looking across all of our cases around the world. They can go to our website, www.krollcybersecurity.com, or to our corporate site at www.kroll.com, and they'll find a link to it. I think every organization is going to have to determine how to use it best, but what would please me is if they looked at the seven areas of prediction that we've come up with this year and simply ask the question, "How does this apply to me for real? What would I have to do to avoid problems in this area?"
To the extent that we have additional information that can help or that our experience can be of assistance, call us. Call whoever you trust as an advisor and get the information to your general counsel or get the information to your risk manager and compliance people. Work together with them to build a better set of controls for your organization and be ready when an incident occurs.