ISSA Journal (1949-0550) Is Published Monthly by the Information Systems Security Association, 12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190

January 2016 Volume 14 Issue 1

Promoting Public Cloud Workload Security: Legal and Technical Aspects Gaining Confidence in the Cloud Why Risk Management Is Hard Securing the Cloud

Promoting Public Cloud Workload Security: Legal and Technical

Aspects

Reston, Virginia 20190 Virginia Reston,

PERMIT NO. 73 NO. PERMIT

12100 Sunset Hills Road, Suite 130 Suite Road, Hills Sunset 12100

COLUMBUS, WI COLUMBUS,

ISSA INC. ISSA

PAID U.S. POSTAGE U.S. SECURING THE CLOUD STD PRSRT Table of Contents DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Feature 16 Promoting Public Cloud Workload Security: Legal and Technical Aspects By Jason Paul Kazarian As workloads are moved from privately owned, on-premises infrastructure to public cloud computing platforms, an organization must rely more on external legal and technical aspects (compared with internal policies, procedures, and tools) for managing security. This article reviews such aspects from a security perspective.

Articles 22 Gaining Confidence in the Cloud 27 Why Risk Management Is Hard By Phillip Griffin – ISSA Fellow, Raleigh Chapter and By Luther Martin – ISSA member, Silicon Valley Jeff Stapleton – ISSA member, Fort Worth Chapter Chapter and Amy Vosters In cloud deployments organizations remain Risk management is harder than we would like it to responsible for ensuring the security of their data. Can be because people do not think rationally. Our built- cloud-based technologies, such as the blockchain, play in irrational biases affect all of the decisions that we a role in providing cloud subscribers assurance their make, and this includes how we choose to manage data is being properly managed and that their cloud risks. Fortunately, we now understand how our biases service provider is in compliance with established work, so we can account for them and avoid making security policies and practices? some of the bad decisions that they might lead us to make. 33 Securing the Cloud By Barettè Mort – ISSA member, North Texas Chapter This article discusses cloud environments and focuses Also in this Issue on security issues in the areas of availability, privacy, 3 From the President and reliability. 4 From the Editorial Board 5 Sabett’s Brief Cloud Security for a New Year 6 Herding Cats Bring Your Own Solution 7 Security Awareness The Security Advice Magic Quadrant 8 Security in the News 9 Perspective: Women in Security SIG Oh Baby - The IoT and Security 10 Open Forum Your CISSP Is Worthless – Take Two 11 Ethics and Privacy The Increasing Significance of Ethics in IT Security 12 Association News

©2016 Information Systems Security Association, Inc. (ISSA) The ISSA Journal (1949-0550) is published monthly by the Information Systems Security Association, 12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190.

2 – ISSA Journal | January 2016 From the President

Hello ISSA Members International Board Officers Andrea Hoy, International President President Andrea C. Hoy, CISM, CISSP, MBA, Distinguished Fellow Vice President Justin White Secretary/Director of Operations Anne M. Rogers CISSP, Fellow Happy New Year! Treasurer/Chief Financial Officer Pamela Fusco Distinguished Fellow he year 2016 will be a year of over the past few months and hope Board of Directors growth for ISSA as we focus to meet more of you this year. on our commitment to drive Frances “Candy” Alexander, CISSP, I would be remiss if I did not take CISM, Distinguished Fellow Tfinancial decisions to ensure they this opportunity to recognize and Debbie Christofferson, CISM, CISSP, will positively affect and give back to CIPP/IT, Distinguished Fellow thank all of you—and you know the chapters and membership. The Mary Ann Davidson who you are—for the time you serve Special Interest Groups—Security Distinguished Fellow and volunteer to make ISSA relevant Rhonda Farrell, Fellow Education Awareness, Women in Se- in your local communities and be- Garrett D. Felix, M.S., CISSP, Fellow curity, Healthcare, and Financial— yond: speaking at schools/colleges, Geoff Harris, CISSP, ITPC, BSc, DipEE, are providing networking oppor- CEng, CLAS, Fellow community gatherings, conferences, tunities with the communities that Alex Wood, Senior Member summits, webinars; writing books, interest our members, and there are Keyaan Williams blogs, papers, articles—especially other areas in our community where Stefano Zanero, PhD, Fellow for the Journal—and more; training, we can expand in 2016. teaching, donating your time, shar- The Information Systems Security Asso- ciation, Inc. (ISSA)® is a not-for-profit, The Cyber Security Career Lifecycle ing your passion, serving as a leader international organization of information (CSCL) is providing both members at a chapter, and serving on or lead- security professionals and practitioners. It provides educational forums, publica- and non-members, who might de- ing a committee. We are fortunate tions and peer interaction opportunities cide to become members, visibility to be in a professional association that enhance the knowledge, skill and professional growth of its members. into the personal career path some where it is easy to support and give With active participation from individuals of our members are sharing in video back to our community. and chapters all over the world, the ISSA clips. There is now structure to the is the largest international, not-for-profit ISSA is great because of the network- association specifically for security - pro CSCL career levels and much more fessionals. Members include practitioners ing between its members and what to come in 2016. at all levels of the security field in a broad you, the members, do to make and range of industries, such as communications, education, healthcare, manufactur- The topic this month is about secur- keep it relevant with your feedback. ing, financial, and government. ing the Cloud. If you think about The ISSA international board consists of Here is to a successful 2016! some of the most influential people in the it, the success of ISSA is dependent security industry. With an internation- upon what happens in a different Thank you! And I hope to meet and al communications network developed throughout the industry, the ISSA is fo- cloud. ISSA could not and cannot hear from more of you all in this new cused on maintaining its position as the be sustained without all the work year! preeminent trusted global information security community. our member volunteers do at both Moving forward, The primary goal of the ISSA is to pro- the chapter and international levels, mote management practices that will ensure the confidentiality, integrity and providing leadership and visibility availability of information resources. The in the cybersecurity community and ISSA facilitates interaction and education to create a more successful environment beyond. I have met many members for global information systems security and for the professionals involved.

January 2016 | ISSA Journal – 3 From the Editorial Board

Thank you for a great 2015 – looking

forward to an even greater 2016. Editor: Thom Barrie [email protected] Advertising: [email protected] Joel M. Weise – ISSA Distinguished Fellow and Editorial Advisory Board Chairman 866 349 5818 +1 206 388 4584 Editorial Advisory Board Phillip Griffin, Fellow would like to ham, we were lucky enough to introduce Michael Grimaila, Fellow close out 2015 two new columns that have been well re- John Jordan, Senior Member with a thank ceived: the Women in Security SIG’s Per- Iyou to our interna- spective: Women in Security, which com- Mollie Krehnke, Fellow tional board, and Andrea Hoy and Can- pliments the monthly webinars, and the Joe Malec, Fellow dy Alexander in particular, for some Open Forum, which is an editorial soap- Donn Parker, Distinguished Fellow amazing support in a year that saw box for any information security subject Kris Tanaka many changes to our association. Like- by anyone with an opinion. Joel Weise – Chairman, wise, a thank you to all of the members We have also introduced new recogni- Distinguished Fellow of the Journal’s editorial board for their tions for authors, one of those being for Branden Williams, tremendous efforts to ensure we pub- the best article of the year. Our first re- Distinguished Fellow lish an industry-respected information cipient of the Best ISSA Journal Article security journal—thank you, Phillip of the Year is “Troubling Trends of Es- Services Directory Griffin, Michael Grimaila, John Jordan, pionage” by Ken Dunham. Congratula- Website Mollie Krehnke, Joe Malec, Donn Park- tions, Ken. [email protected] er, Kris Tanaka, and Branden Williams. I have but a single request to the mem- 866 349 5818 +1 206 388 4584 I would also like to thank the authors of bers of our association. Putting togeth- the 49 articles, 11 columns and 10 edito- er the Journal is a significant effort and Chapter Relations [email protected] rials for their contributions—69 authors requires authors willing to be published. altogether. Without their efforts there We need more members to participate as 866 349 5818 +1 206 388 4584 would be no Journal. authors. Please review the editorial cal- Member Relations Lastly, the Journal could never be put endar, pick a subject you would like to [email protected] together and published without the in- write about, and submit it to the Journal. 866 349 5818 +1 206 388 4584 credible efforts of Thom Barrie, our edi- I can’t think of a better way to promote tor. A huge thank you to Thom. one’s career than getting published in Executive Director Although this year we bid farewell to the Journal. [email protected] two long-time columnists, toolsmith’s – Joel Weise 866 349 5818 +1 206 388 4584 Russ McRee and Risk Radar’s Ken Dun- Vendor Relations [email protected] Information Systems Security Association 12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190 866 349 5818 +1 206 388 4584 703-234-4082 (direct) • +1 866 349 5818 (USA toll-free) • +1 206 388 4584 (International)

The information and articles edge of the author and editors. official policy of ISSA. Articles pendent corporation and is not in this magazine have not been If the reader intends to make may be submitted by members owned in whole or in part by subjected to any formal test- use of any of the information of ISSA. The articles should be any manufacturer of software or ing by Information Systems presented in this publication, within the scope of information hardware. All corporate infor- Security Association, Inc. The please verify and test any and systems security, and should be mation security professionals implementation, use and/or se- all procedures selected. Techni- a subject of interest to the mem- are welcome to join ISSA. For lection of software, hardware, cal inaccuracies may arise from bers and based on the author’s information on joining ISSA or procedures presented within printing errors, new develop- experience. Please call or write and for membership rates, see this publication and the results ments in the industry, and/or for more information. Upon www.issa.org. obtained from such selection or changes/enhancements to hard- publication, all letters, stories, All product names and visual implementation, is the respon- ware or software components. and articles become the proper- representations published in sibility of the reader. The opinions expressed by the ty of ISSA and may be distrib- this magazine are the trade- Articles and information will be authors who contribute to the uted to, and used by, all of its marks/registered trademarks of presented as technically correct ISSA Journal are their own and members. their respective manufacturers. as possible, to the best knowl- do not necessarily reflect the ISSA is a not-for-profit, inde-

4 – ISSA Journal | January 2016 Sabett’s Brief

Cloud Security for a New Year

By Randy V. Sabett – ISSA Senior Member, Northern Virginia Chapter

s I sat down to write this Public versus private. An ongoing de- frequently used by month’s column on cloud se- bate with liability implications involves large entities. Over curity, I thought to myself, “it’s whether to implement a public cloud or the past couple of Anow 2016—what could possibly be new a private cloud. Many commentators ap- years, however, the in cloud security?” Well, for one thing, pear to believe that a private cloud strat- number of SMB customers has steadily we are getting better at telling whether egy can make compliance with regula- increased. Various predictions have this or not someone is a dog. Of course, it tory or contractual requirements easier trend continuing throughout 2016. goes without saying that my four dogs (e.g., HIPAA privacy and security rules Basic blocking and tackling. Despite are not very happy about this. In any or PCI DSS), but rarely are such simple clear advances in the security posture of event, liability concerns around cloud rules as straightforward as they would many organizations, the continuing pa- security will continue to be a prominent seem. True security depends more on rade of data breaches and information issue this year. the strategy employed by an organiza- spills often can be traced back to very When examining the issue of liability tion toward cloud security as opposed to basic information security lapses. These involving cloud security, I am reminded where that cloud is deployed. often have nothing to do with cloud of a client that I had several years ago. Increase in hybrid cloud deployment. implementation or cloud security, but This was back in the day when securi- In light of the preceding issue and in or- instead involve relatively well-known ty was not a top-of-mind issue for many der to address certain security concerns, infosec issues. companies. For many entities, provi- a number of organizations have opted to Well, that’s about it for this month’s sioning cloud services was done at your use a hybrid cloud approach. This trend discussion of the cloud. As you can see, own risk, and a risky business it was. My is likely to continue throughout 2016. security will continue to be a prevalent client was, at that time, one of the only Mobile intersects with cloud. The issue for cloud deployments over the cloud service providers that was offering Cloud Security Alliance recently re- foreseeable future. As with any other a complete suite of security protections leased a white paper that incorporates technology, however, attention to se- out-of-the-box. When you signed up various components from the NIST 800 curity basics will go a long way toward for their services, you knew you were series to address security issues that may securing the cloud. Speaking of which— getting top-of-the-line security. Not arise when mobile applications utilize I’m off now to sign up Pepper, Zoe, Jake, surprisingly, you would also have been cloud services. As mobile technology and Bert for their new cloud creden- paying higher rates, but such is the price and mobile deployments become more tials…and we’re not going to reveal that of security. and more ubiquitous, the use of cloud they are dogs… During the same period, I also worked resources by those mobile technologies with clients who were consuming cloud will continue to increase dramatically. About the Author resources. For these clients, I often Appropriate thought must be given to Randy V. Sabett, J.D., CISSP, is Vice found myself counseling them on how such deployments. Chair of the Privacy & Data Protection to structure their contracts with cloud Cloud decision-making process. The practice group at Cooley LLP (www.cool- service providers. I and my colleagues research firm Insight released findings ey.com/privacy), and a member of the had come up with a list of 14 different from a recent cloud survey that showed Boards of Directors of ISSA NOVA and items that required, at least to some ex- almost 60 percent of decisions involving the Georgetown Cybersecurity Law Insti- tent, slightly different treatment when cloud deployment are made by the CIO tute. He was a member of the Commis- provisioning cloud services. While of an organization, with input from the sion on Cybersecurity for the 44th Pres- many of those older concerns are now CFO and/or chief security officer. idency, named the ISSA Professional of being addressed by a majority of cloud the Year for 2013, chosen as a Best Cyber- Overall increase in cloud usage. Ac- service providers, there are several con- security Lawyer by Washingtonian Mag- cording to a number of commentators, siderations that will likely be relevant in azine for 2015-2016, and can be reached historically cloud deployment was most 2016. Here are a few: at [email protected].

January 2016 | ISSA Journal – 5 Herding Cats

Bring Your Own Solution By Branden R. Williams – ISSA Distinguished Fellow, North Texas Chapter

ike many of als and then find a way to email any rel- one who is bringing his own solution you, I work evant artifacts over. In doing that, I lose should complete. Everyone using these for a compa- time fumbling with devices and messing technologies must understand the an- Lny that has a quite with corporate email. swers to questions like what’s OK to put oppressive informa- The discussion related to cloud and per- in Evernote and what’s not? As a secu- tion technology policy for good reason. sonal devices isn’t really limited to the rity professional, you the must ask what While it does quite a bit to keep rogue or device anymore. It’s really a Bring Your tools do you need to make sure that you unknown bits of software out of the cor- Own Technology, or Bring Your Own can back the user training up with solid porate environment, it creates an inter- Solution discussion. The cloud has per- controls that prevent an accident—your esting dynamic whereby we can be more meated into everything we do, and when multi-layered approach. efficient in our personal lives than in our things are not synchronized, we end up Even though this issue is dedicated to work lives. I often find that my ability to securing the cloud, I wanted to explore be efficient is hindered by a missing tool, the benefits of the cloud for the indi- app, or access to some resource. Let’s ex- Given the amount vidual worker and how we can leverage plore an example. of corporate dollars those safely. I would be surprised if there During my academic career I had to are people reading this that have not manage a massive list of sources and ref- spent on information used some sort of cloud service by now erences to materials that I used in vari- technology, that should (perhaps unwillingly) and thought that ous work products. Course work aside, it could help solve some other problem I was having to keep track of over 160 infuriate you. they deal with professionally. The prob- different artifacts, the physical paper or lem may be more accurately described as book in most cases, and the reference fighting with our devices. Now you can securing ourselves to enable the power materials needed to keep it all together. see why we can be so much more effi- of the cloud for our users. Add course work to the mix and that cient in our personal lives than we can So as you kick off your activities for number goes up by well over 400 addi- at work. Given the amount of corporate 2016, let’s spend some time focusing tional sources. Not only did I need to dollars spent on information technolo- on enabling our users. If you took my search through this information on a gy, that should infuriate you. challenge to live life as a regular user regular basis to ensure I was supporting There are good reasons why you don’t last month, you probably have a short my arguments correctly, but I continue want certain applications, services, and list of things that you can start work- to use it today when I am at work. It’s devices around your networks and data. ing on now that will make you a hero in my own personal library that I contin- There are also great reasons why you your users eyes. Let’s see if we can find ue to maintain (both adding, updating, want to improve your security posture ways to make our users more productive and culling) as needed. With that many in a way that allows for many of these while keeping the goals of securing the references, there is no way that I could technologies to be used by employees. enterprise intact. manage it through flat files and an excel Over the seven plus years that you all spreadsheet (yes, I tried that). Instead, I have indulged me by not using this col- About the Author keep this going through a library man- umn only as kindling, we’ve discussed Branden R. Williams, DBA, CISSP, CISM agement tool (I use Mendeley now) with things like layered security approaches, is the CTO, Cyber Security Solutions at everything synchronized to Dropbox so actively hunting our adversaries, and First Data, a seasoned security executive, I could access my materials from any- embracing the technologies that are out ISSA Distinguished Fellow, and regu- where. My last two companies didn’t there to understand how to safely incor- larly assists top global firms with their have an issue with Dropbox, but my cur- porate them into the user experience so information security and technology ini- rent one does. they don’t create shadow IT. tiatives. Read his blog, buy his book, or With BYOD, I have a halfway solution. You can’t stop there, however. There is reach him directly at http://www.brand- Essentially, I can use my iPad or iPhone quite a bit of user education that every- enwilliams.com/. to search through my reference materi-

6 – ISSA Journal | January 2016 Security Awareness

The Security Advice Magic Quadrant

By Geordie Stewart – ISSA member, UK Chapter

he challenge of how we struc- links so attackers moved to different these long-term, ture, analyze, and select the se- addresses. We told people to watch out universal “truisms” curity advice we deliver to end for spelling mistakes and poor grammar rather than short- Tusers has been a recurring topic in this so attackers improved their English. We term tactical fixes. column. We can’t provide unlimited told people to use https connections so If you’re about to advice to unlimited people, so we need attackers made sure to get a certificate issue advice to users, consider where it to prioritize. Costs need to be under- for their phishing sites and use SSL. Our fits. In some cases perhaps it could be stood. We need to consider not just the advice now remains as a useless evolu- tweaked to lift out some specific detail displacement of productive activities for tionary awareness appendage or worse. that would limit the longevity of the ad- employees sent on training but also at- There are people that conclude an email vice and make it a universal truth that tention spans that are part would fit into the “strategic” of a finite economy. Train- Security Awareness Advice Magic Quadrant box. What do you think of ing people on X reduces the Security Awareness Ad- their tolerance to absorb Y. vice Magic Quadrant? Does Everyone has his limits no it help to provide structure

s Evolving Strategic matter how interesting or and a way to classify our Short-term mitigation Long-term mitigation important we think our in- communications? Do get in formation is. for a wide range for a wide range touch with your views.

itigation of threats of threats When selecting which secu- In other news, the Austra- rity advice to prioritize, it’s lian government has issued important to consider two “advice” encouraging peo-

aspects. Firstly, will the ad- Threat M ple to switch off two-factor vice you’re giving be valid in Tactical Enduring authentication when trav- 1 the longer term? Or, is the ee of Short-term mitigation Long-term mitigation eling overseas. Apparently, advice likely to become ob- for speci c threats for speci c threats two-factor authentication

solete as threats and attack Degr isn’t really all that import- techniques rapidly evolve? ant when using wireless Secondly, to what degree Internet from strangers or is the advice we’re giving connecting from an Inter- likely to be effective? Will it Duration of Eectiveness net café. Unbelievable. This only be valid in very specif- kind of awareness pollu- ic circumstances, or will it be a reliable is safe just because it is grammatical- tion2 makes our job much harder. rule-of-thumb or universal truth that ly correct and the embedded links use can be widely applied? The holy grail https. It would be easy to say that us- About the Author ers have misunderstood the difference of advice, therefore, should be to focus Geordie Stewart, MSc, CISSP, is the between transaction privacy and entity on the long-term advice that addresses Principle Security Consultant at Risk authentication, but I suspect we haven’t the widest set of risks possible. Sounds Intelligence and is a regular speaker and made it any easier for them. simple, but arguably much of our advice writer on the topic of security awareness. has historically been short term and sit- In contrast, the advice to avoid open- His blog is available at www.risk-intelli- uation specific. ing attachments or links in emails that gence.co.uk/blog, and he may be reached For example, consider how our an- you’re not expecting remains as potent at [email protected]. ti-phishing security awareness advice as ever. It’s a universal truth that is like- has changed over the years. Much of ly to remain true in the future as well. With the benefit of hindsight, our se- 1 http://www.theregister.co.uk/2015/12/22/australian_ it was short term in nature that quick- government_twofactor_auth/. ly became obsolete as threats quick- curity advice needs to be strategically 2 http://www.risk-intelligence.co.uk/issa-security- focused as much as possible to focus on awareness-column-march-2013-lowering-security- ly evolved. We told people to avoid .ru awareness/.

January 2016 | ISSA Journal – 7 Security in the News News That You Can Use… Compiled by Joel Weise – ISSA Journal Editorial Board Chairman, ISSA Distinguished Fellow, Vancouver, Canada Chapter and Kris Tanaka – ISSA member, Portland Chapter Data Encryption in Sharp Focus after Deadly Attacks www.securityweek.com/data-encryption-sharp-focus-after-deadly-attacks It seems that recent terrorist attacks have yet again sparked the battle over the use of encryption. We’ve heard this before. Remember the Clipper chip and the LEAF back door? Restricting the use of encryption is simply not the answer. As Bruce Schneier often points out, getting the bad guys is all about plain old, every day, good police work. Furthermore, I, for one, am not willing to give up my privacy by allowing back doors to exist as I think in the long run, it makes us all less secure. Silent Circle’s Encrypted Phone App Cleared for US Government Use www.zdnet.com/article/silent-circle-phone-app-cleared-for-us-government-use/ This sums it up as far as I’m concerned. “Analysis: The question shouldn’t be if encryption should have back doors, but why intelligence agencies have begun shifting the blame onto those who push for privacy.” Silent Cir- cle looks like the STU-III phones for the Millennials. In fact, I can’t wait to try it out. Brazen North American Cyber Underground Offers DIY Criminal Wares for Cheap www.darkreading.com/endpoint/brazen-north-american-cyber-underground-offers-diy-criminal-wares-for-cheap/d/d- id/1323449 If there was any doubt as to how easy it is to set up a cybercrime enterprise, read this article. It is a great primer on how simple it is to obtain malware and crimeware kits. I did notice one odd thing. Why is a fake US passport only going for $30 while a fake driver’s license costs $145? Biggest Data Breaches of 2015 www.networkworld.com/article/3011103/security/biggest-data-breaches-of-2015.html It seems like every year is worse than the last—health care, government, financial services, social media, you name it. The only problem I see is that the average attention span of most business people is about three minutes, and thus they fail to make real and lasting changes in their information-security posture. 80 Percent of Companies Had a Security Incident in 2015 www.infosecurity-magazine.com/news/80-companies-had-a-security/ Are we worrying too much? Fifty-three percent of IT professionals surveyed reported that they were concerned about ransomware in 2016; however, only 20 percent of organizations experienced a ransomware incident in 2015. In addition, 39 percent and 37 percent of IT professionals also worry about data theft and password breaches, respectively; but only five percent of organizations had an incident of data theft in 2015, and only 12 percent experienced a password breach. On the other hand, perhaps worry is a good thing since 71 percent of IT professionals expect their organizations to be more secure in 2016 thanks to new investments in more advanced security solutions and end-user trainings. Cloud in 2015: Year of Shake-up, Consolidation, Advance www.informationweek.com/cloud/infrastructure-as-a-service/cloud-in-2015-year-of-shake-up-consolidation-advance/d/ d-id/1323376 This is a good review of current state of cloud computing. Amazon Web Services has quickly taken the lead in the industry, but its competitors are scrambling to change their strategies in an attempt to rebalance the cloud power scale. Who will win? That remains to be seen. But it will be exciting to see what technological break- throughs will occur, thanks to this quest for cloud dominance. Where We’ve Been. Where We’re Going. www.csoonline.com/article/3015379/security/where-we-ve-been-where-we-re-going.html In general, I agree with most of what the article says about the world of information security. Some points, however, are overplayed. Sure, we had a lot of high-profile attacks, but I really don’t think they create the positive impact needed to improve data security. The one item that should give us all some pause is the re-emergence of shadow IT. The last thing most CISOs want is some wayward department opening back doors into the organization. Apple Pay and Other Mobile Payments: Why We Still Don’t Use Them http://venturebeat.com/2015/12/13/apple-pay-and-other-mobile-payments-why-we-still-dont-use-them/?utm_con- tent=buffer1cc8f&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer As one involved in the development of EMV, I am always curious as to what the latest and greatest is in mobile payments. All told, if this is accurate, Apple has a long way to go before people will adopt this financial service tool. Unfortunately, I know their pain—it’s only taken close to 20 years for the US to embrace chip cards. Cybersecurity Predictions for 2016 After the holiday chaos settles down for a long winter’s nap, people tend to pull out their crystal balls in an attempt to forecast what’s ahead for cybersecurity. Here are a few prediction articles for your reading pleasure. Note: You might want to tuck them away and pull them out again at the end of the year to see just how accurate these prognosticators actually were. Happy New Year! Top 15 Security Predictions for 2016 www.csoonline.com/article/3013060/security/top-15-security-predictions-for-2016.html A Few Cybersecurity Predictions for 2016 www.networkworld.com/article/3015442/security/a-few-cybersecurity-predictions-for-2016.html Cybersecurity Predictions for 2016: Choosing Leadership over Luck www.forbes.com/sites/forbestechcouncil/2015/12/10/cybersecurity-predictions-2016-choosing-leadership-over-luck/ Industry Experts Predict the Top Cybersecurity Trends for 2016 www.esecurityplanet.com/network-security/industry-experts-predict-the-top-cyber-security-trends-for-2016.html

8 – ISSA Journal | January 2016 Perspective: Women in Security SIG

Oh Baby - The IoT and Security By Avani Desai – ISSA WIS SIG member

mother was woken on hearing devices that are now connected to other set default usernames a strange voice shouting “wake devices such as mobile phones and via and passwords so, for up baby.” Looking around, the Internet that are designed to help in example, you can Athere was nobody in the house, but she “bringing up baby.” Health apps are a login and control the was using a baby monitor that streamed critical focus area. Devices such as the device using user- video of her sleeping baby to her cell- Pacif-I, which tracks your baby’s body name “Admin” and phone. On investigation she found that temperature through a pacifier connect- password “Admin.” These are, of course, someone had hacked into her baby mon- ed to a mobile app, is a typical example. guessable, and brute force attacks can itor, was watching her baby sleeping and The already mentioned video baby mon- then give a hacker access to the device. was trying to wake the baby by shouting itor lets you connect to a camera through In the case of a baby monitor, for exam- through the monitor to “wake up!” This a mobile app to monitor your sleeping ple, the cybercriminal could add new is a chilling story and one which every baby. There are even baby onesies that accounts to the device creating their parent would find frightening. monitor your baby’s temperature, sleep- own “baby show”—horrifying stuff. The advent of the Internet brought with ing position, and breathing patterns and Authentication bypasses. Any system it new ways in which cybercrime could send the data to a mobile app. that allows new users to be added with- be committed. We have seen this borne This is creating large quantities of highly out an authentication check at the time out by the increasing number of web- personal information about your baby. of account creation is highly vulnerable based threats and the exposure that It is our duty as parents and as a society to abuse. Certain baby monitors have email has brought with it—phishing to protect them and prevent exposure of been shown to allow new users to be being one of the most successful vec- their personally identifying information. added without asking for a password or tors for malware infection and data ex- Some areas are of concern regarding the other authentication credential. Hackers filtration. The Internet of Things (IoT), security of the devices we are using to can simply add new users, at will, to any whereby the most domestic of devices try and monitor and protect our chil- of the vulnerable systems using a very like a fridge or a baby monitor is web en- dren. Here are three areas that make simple URL hack. abled, is now taking these threat levels these monitors insecure: Forcing the Web to grow up to a new extreme; and the worry is that the manufacturers of IoT devices are not Poor implementation of Internet secu- This level of security vulnerability is keeping up with the threat potential. rity protocols. VTech just announced extremely alarming. The rush to get that a database including names, birth Internet-enabled devices out to market The problem stems from the speed at dates, and genders of 5 million cus- seems to have come at the cost of secu- which IoT has swept upon the technolo- tomers and their children was stolen by rity and privacy. The protection of our gy landscape. IoT devices are often con- hackers. However, this isn’t an area just privacy and personal data is one thing, nected up to web applications like email confined to baby monitor vulnerabili- but the thought of our most precious accounts, Google calendars, and other ties; other IoT devices like the Samsung little people being exploited in this way data-rich applications. Cybercriminals smart fridge have been found to have is a step too far. The Internet of Things are after the data, not the device; the de- serious flaws because of poorly imple- has opened up some innovative ways vice is simply the conduit. McAfee and mented Internet security protocols (i.e., in which to keep our children safe, but Intel predicted that by 2020 there would SSL/TSL), allowing cybercriminals to more thought and work needs to go into be 31 billion IoT devices worldwide, and steal login credentials and data. Regard- making sure those safety nets are safe. they are now saying this is an underes- ing a video monitor, a cybercriminal timate. This opens up a massive exploit could exploit this vulnerability, poten- About the Author base for cybercrime, making security by tially accessing unencrypted streamed design an integral part of IoT devices. Avani Desai, first and foremost a mom, video, or steal authentication creden- is an Executive Vice President at Bright- Protecting our infants tials, which could then be used to login Line. She has been helping clients with One of the areas where we are seeing and take control of the device. their compliance services for over 13 IoT device innovation is in the field of Back-door accounts. Often baby moni- years. She may be reached at avani.de- parenting. There is a small explosion of tors (and other IoT devices) have factory [email protected].

January 2016 | ISSA Journal – 9 Open Forum The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to the ISSA community. The views expressed in this column are the author’s and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board. Your CISSP Is Worthless – Take Two By Frederick Scholl – ISSA Senior Member, Middle Tennessee Chapter

ave Shackl- a critical asset to have in today’s uncer- (ISC)2 survey, 3 respondents say “broad eford’s col- tain world? understanding of the security field and umn in the From a purely financial point of view, communications skills are the top two DOctober 2015 issue factors contributing to a successful se- today’s certs seem to offer a good “re- got me thinking. Is turn on investment.” The better known curity professional.” When I pose the the CISSP certifica- certs add 10-14 percent on top of annu- question “what do you really need” to tion worthless? What accomplishments al salary, at least for employers who ac- hiring managers, I hear the same thing, do have value for an information se- knowledge certifications. Overall, for a with the addition of “enthusiasm.” This curity professional? Over the past 10 basket of 72 security certifications, the is in spite of the usual job listings that we years I have divided my time between pay premium has increased by +4 per- all read. ISACA and SANS have both re- managing security within a Fortune 50 cent over the last 12 months.1 sponded with security management-ori- organization, consulting, and teaching ented certification programs. College degrees and certs often get ques- information security at two universities. How else can we improve? We need to I have helped dozens of professionals tioned in the same conversations about security. What is the value of a degree? raise the bar for our certifications, not move up the security career ladder or just add more specializations. We need into new security careers. Have certifi- Programs that I am personally familiar with require hands-on training, group to make our certifications meaningful cations helped them toward career suc- to business leadership. The timing is cess? project collaboration, and internships with industry. The mythical “ivory tow- right for this. According to the 2016 SIM 4 First of all, there is no magic bullet certi- er” has disappeared from many security IT Trends Survey, information security fication. A CISSP certification is a piece education programs, as it should have. is the #1 worry for CIOs and senior IT of paper that does not grant you the Good college-level degree programs can leaders. If we are going to get a perma- right to enter the field. Other experience help provide not only security technical nent seat at the table, we need certifi- and skills you will need include on-the- skills, but soft skills and business man- cations that are understood and valued job experience, communication skills, agement skills that security leaders say by the business leadership. What per- collaboration skills, and just plain en- they need. cent of your CXOs have heard of CISSP, thusiasm. A CISSP cert does show that CISM, or GSLC? How many have heard you have obtained a test-based, broad Looking at the numbers again, pay pre- of CPA certification? Compare any se- security knowledge and have been a miums for a BS degree over no degree curity certification exam with the CPA practitioner for at least four to five years. have been reported to be around 60 per- exams that include 14 hours of multiple But that is only the start. cent; add another 33 percent for Master’s choice questions, simulation questions, 2 degree over BS degree. These figures are and written questions. We are not there A CISSP will then have to obtain an for all fields, not just IT security. average of 60 CPEs per year. This con- yet. By aligning our certifications with tinuous improvement is one of the re- Should we make professional certs more business needs we can help build brand quirements that can add great value to hands on? I see some purely technical awareness and assure long-term career certs like CISSP, GIAC, or CISM. I am security jobs disappearing, victims of paths for all of us. automated tools and cloud computing. always looking for ways to grab more About the Author CPE. There’s no need to be satisfied with In addition, hands-on security certs are the minimum required. Are you OK already provided by vendors such as Cis- Dr. Frederick Scholl, CISSP, CISM, is with the minimum security compliance co, Red Hat, and Checkpoint to name president of Monarch Information Net- requirements in your organization? The only a few. works, LLC. He also teaches Risk Mitiga- practice of security itself is one of con- What about other ways of improving ex- tion at Lipscomb University and Network tinuous improvement. Certs that do not isting certifications? What do employers Security at Vanderbilt University. He require CPEs truly are worth no more say they want? According to the 2015 may be reached at freds@monarch-info. than the cost of the entrance exam. com. The other value in certs such as CISSP, 1 David Foote, Foote Partners, www.footepartners.com: GIAC, and CISM is that they all require http://bit.ly/1lXmAbU. 3 www.isc2cares.org: http://bit.ly/1GMoD5x. 2 “The College Wage Premium,” Federal Reserve Bank 4 “IT Trends Survey, 2016” www.simnet.org: http://bit. affirmation of a code of ethics. Isn’t this of Cleveland, 2012. ly/1OdtHYi.

10 – ISSA Journal | January 2016 Ethics and Privacy ISSA PROFESSIONAL ETHICS COMMITTEE – [email protected] The Increasing Significance of Ethics in IT Security By Betty Pierce – ISSA Fellow, Colorado Springs Chapter

rofessional ethics in the IT secu- not yet exist. Moreover, newly-emerg- reimbursed theft” to rity realm is an underpinning to ing issues surrounding the Internet’s “substantial risk.”6 membership in the ISSA, which record of everything and the inability to The above examples Pevery member affirms initially and erase incorrect, inappropriate, or even are post-facto mechanisms and reme- 2 re-affirms upon renewing membership unflattering content, especially when dies. Of course, preventive is preferred, annually. The ISSA Code of Ethics is a the subject is an underage child, poses a but the control technology totally lags time-tested set of standards for behav- paradox as to which version of the truth and will continue to fall behind, and the ior and helps each of us decide which becomes a reality over time—the origi- gap is growing at an increasing rate. course of action is best, given a range of nal or the redacted. This article is a call to action. situations and especially the “gray area” In January 2013, the European Commis- between law/regulations and morality. sioner for Justice, Fundamental Rights, We ISSA members are key to our sus- Both law and ethics deal with questions and Citizenship announced the Euro- tainable culture of ethics that tran- of how we should live together with pean Commission’s proposal to create a scends international boundaries, spe- others, and ethics is sometimes also sweeping new privacy right—the “right cifically in the area of IT security and thought to apply to how individuals act to be forgotten.”3 The right to be forgot- resulting privacy. Our individual histo- 1 even when others are not involved. The ten enables an individual to have cer- ries, skills, and approaches are critical to character of a person is comprised of all tain data deleted including information, shaping our collective future. Continue dimensions of his or her life behavior photos, and videos about themselves and invigorate each person’s commit- as a trust anchor and carries forward from certain Internet records so that ment to meeting and hopefully exceed- throughout personal and professional they cannot be found by search engines. ing the highest professional standards. realms. Many international jurisdictions have Anytime there is a situation, even just The importance of professional ethics now passed “Revenge Porn’” laws that a simple question to tossing a few ideas in the IT security realm is increasing as criminalized the use of intimate photos around, consider circling up with your the gap between law/regulations and the or videos of significant others in order ISSA colleagues that *may* have crossed dual nature of advanced technologies to humiliate them and have successful- the same river before. is growing. It is widely acknowledged ly enforced the law.4 Pre-nuptial agree- This new year make it your personal that there is an increased ability to per- ments for celebrities now may contain goal to make one positive ethical impact form undetected surveillance and mon- restrictions on social media postings,5 in your sphere of influence when it is itoring in both the cyber and physical and most people would agree that at crucial to the situation. With 10,000 of realms combined, which is exacerbat- minimum a serious discussion and a us across the globe, we can make a tre- ed by the increasing interconnectivity resulting meeting of the minds as a re- mendous impact. of the environments. Certainly there lationship forms would be well-advised is a heightened awareness of attempts with respect to personal information About the Author to bypass and infiltrate/takedown im- shared online. Case law is beginning to Betty Pierce, GSLC, is a program manag- plementations of even the most legiti- recognize the degree to which customers er with a civilian US government agency mate of cryptography and anonymity can hold companies and their executives and high-tech startup junkie with over 34 solutions for online communications. liable for loss of sensitive information in years in IT, the most recent 15 years spe- Simultaneously, the technology that recognition of the previous “actual un- cializing in information security. She is enables exploiting the theft of informa- the corresponding secretary for the ISSA tion and posting of information meant 2 http://www.nytimes.com/2014/05/30/business/ international/on-the-internet-the-right-to-forget-vs- Professional Ethics Committee, past to embarrass or extort has increased in the-right-to-know.html?_r=0. president of the Denver ISSA Chapter. availability, and adequate controls do 3 http://www.stanfordlawreview.org/online/privacy- paradox/right-to-be-forgotten. She may be reached at b.pierce@secure- networksystems.com. 1 http://www.brown.edu/academics/science-and- 4 http://www.cnn.com/2013/10/03/tech/web/revenge- technology-studies/sites/brown.edu.academics. porn-law-california/index.html. science-and-technology-studies/files/uploads/ 5 http://abcnews.go.com/Lifestyle/love-perfect-watch- 6 http://blogs.wsj.com/cio/2015/07/23/appeals-court- Framework.pdf. facebook-social-media-prenups/story?id=23977608. revives-neiman-marcus-data-breach-suit/.

January 2016 | ISSA Journal – 11 Association News

Upcoming CISO Virtual Mentoring Save the dates for the 2016 CISO Forums: Presentations earn from the experts. If you’re pursuing a career in • February 27-28, 2016: San Francisco, CA Theme: Innovation and Technology cybersecurity and seeking support on the path to be- Current Sponsors: Prosoft Systerms, Zscaler, Verodin L coming a CISO, check out this upcoming presentation: January 14, 2016, 1:00 pm – 2:00 pm EST: Speaker: Deme- • May 19-20, 2016: Charlotte, NC • Theme: Infosec and Legal Collaboration trios Lazarikos (Laz), CISO, vArmour. Current Sponsors: Zscaler, Illumio, Proofpoint • February 11, 2016, 1:00 pm – 2:00 pm EST: Title and Speaker to be announced. • July 31-August 1, 2016: Las Vegas, NV Theme: Effective Applications of Security Convergence Visit www.issa.org => Learn => Web Events => CISO Virtual and Analytics Mentoring Series to register. Current Sponsors: Illumio, Proofpoint • November 3-4, 2016: Dallas, TX Pre-Professional Virtual Meet-Ups Theme: Think Big Current Sponsors: Illumio, Proofpoint hinking about working in cybersecurity? Are you doing everything you can to get started? Do You Qualify? ISSA Pre-Professional Virtual Meet-Ups The CISO Executive Forums are peer-to-peer events. The Tcan provide you with guidance and advice. Our unique strength of these events is that members are free to next Meet Ups include the following: share concerns, successes, and feedback in a peer-only envi- • January 25, 2016, 9:00 am, 10:30 am EST: Internships: Do ronment. They Really Work? Membership is by invitation only and subject to approval. • February 29, 2016, 6:00 pm – 7:30 pm EST: What Should Membership criteria act as guidelines for approval. If you feel Your Toolbox Look Like? you may qualify to become an ISSA CISO Executive Mem- ber, visit www.issa.org => Learn => CISO Executive Forum Visit www.issa.org => Learn => Web Events => CSCL Meet for more information. Ups for current or archived session links.

SAVE THE DATE FEATURING:* 800+ Attendees Expected 60 Sessions | 7 Tracks | CPEs Up to 100 Exhibits Career Counseling & Networking Center Cyber Defense Center International Awards ISSA Party in the Sky CISO Executive Forum

*Subject to change.

Get the Recognition You Deserve in 2016 Career Opportunities o you qualify to become a Senior Member, Fellow, Visit www.issa.org => Advance => Career Center or Distinguished Fellow? The ISSA Fellow Program recognizes sustained membership in ISSA and out- For Cybersecurity Job Seekers Dstanding contributions to the profession. Senior Member sta- If you are looking to get started or advance in your cyberse- tus is the first step toward fellowship and requires at least five curity career, check out the ISSA Career Center. The center years of membership. Fellow status is limited to a maximum offers several hundred available jobs and allows you to post of two percent of the membership. Distinguished Fellow sta- a searchable or confidential resume, increasing the odds that tus is limited to no more than one percent of members at any you will find an ideal match. given time. For Employers Nominations and applications are accepted on an annual cy- If you’re an employer seeking to fill new or vacant security cle. Applications are being accepted until Monday, August 1, positions, the Career Center offers an effective, low-cost tool 2016, 5:00 pm EDT. to achieve your HR objectives quickly and simply. Apply today www.issa.org => Advance => Fellow Program. Highlighted Pick of the Litter – Job of the Month Chief Information Security Officer, Augusta University – Augusta, GA The Chief Information Security Officer provides enter- Learn about ISSA’s Special Interest Groups? Join free at prise-wide leadership in the enhancement of information se- www.issa.org => Learn => Special Interest Groups! curity for Augusta University and the Health System. Women in Security SIG More jobs you will find on the ISSA Career Center: January 11, 2016: 4:00 pm – 5:00 pm EST • Director of Information Security and New Initiatives, Security Education and Awareness SIG Duquesne University, Pittsburgh, PA Senior Information Security Analyst, Sodexo, Williams- January 27, 2016: 9:00 am – 10:00 am EST • ville, NY • Senior Data Management Analyst, Arapahoe County Colorado (Government), Littleton, CO • Chief Information Security Officer, TMF Health Quality Have You Submitted Your Article Proposal for 2016? Institute, Austin, TX he ISSA Journal Editorial Advisory Board is looking for articles for 2016. SAVE THE DATE T Why Should You Write for the ISSA Journal? • Advance your career 2015 Security Review & Predictions for 2016 FEATURING:* • Gain chapter, national, and global recognition for what 2-Hour Live Event: Tuesday, January 26, 2016 800+ Attendees Expected you know 9:00 am US-Pacific/12:00 pm US-Eastern/5:00 pm London 60 Sessions | 7 Tracks | CPEs Help others benefit from your expertise • Yes, once again some brave (or foolish?) folks will volun- Up to 100 Exhibits • Showcase your organization teer their insights and make predictions for the 2016 infosec Career Counseling & Networking Center • Receive invitations to speak around the country challenges. To a degree, changes in legislation and technol- Cyber Defense Center • Improve your chance to present on an ISSA International ogy are easy meat to predict in a 12-month time frame. But, International Awards Web Conference who could have predicted last year. What is likely to be the ISSA Party in the Sky • Improve your chance to speak at ISSA’s 2016 International next cataclysmic event to rock the industry? Will the winds CISO Executive Forum Conference of change continue to blow security in the ”cloud?” Join us, *Subject to change. Set a personal goal make notes, and then check back in a year to see how we did! Check the editorial calendar for themes, and set a personal Moderator: Michael F. Angelo, CRISC, CISSP, Chief Security goal to submit an article. Submit your questions and articles Architect, NetIQ Corporation, ISSA Web Conference Com- to [email protected]. For reference and to get you started, re- mittee Chair view theme descriptions and editorial guidelines at www. To register, visit www.issa.org => Learn => International Web HYATT REGENCY | DALLAS, TEXAS NOVEMBER 2-3, 2 016 issa.org => Learn => Journal. Conferences. Information Systems Security Association | www.issa.org | 866 349 5818 USA toll-free | +1 206 388 4584 International January 2016 | ISSA Journal – 13 Association News

2015 International Awards Ceremony, Chicago Conference ne of the highlights of the annual conference is rec- people to support the scholarship. I’m happy to report that we ognizing members, individuals, and organizations have met that goal and exceeded it by $500. that exemplify the spirit of ISSA, the commitment Volunteerism is near and dear to my heart; it’s how I tithe Oof its members, and the contributions of the information se- and give back to the community. And it’s not something that curity community around the world. As volunteerism is so will stop here. I’ve asked the international board if they would crucial and central to our association, let’s shine the spotlight consider me for a chair or something to contribute the educa- on this year’s ISSA Volunteer of the Year. tional stuff that I bring—so you haven’t heard the last of me. ISSA Volunteer of the Year Thank you. David Vaughn, Raleigh Chapter e caught up with David after the conference and Mark Hahn, Awards Committee mem- asked if he wanted share his thought on our in- ber, introduced David with a few words dustry. submitted by Craig Cunningham who W nominated David for this award: “David What do you consider to be your most significant Vaughn is constantly working to provide additional educa- accomplishment as an information security professional? tional content for existing events such as ISSA meetings and I’ve been blessed to enjoy many accomplishments, but what helping to support new events such as BSides Raleigh. He has has had the most profound impact on my life, both personal been a volunteer for ISSA, BSides, (ISC)2, InfraGard, Blackhat and professional, has been learning to embrace my failures 2014, Defcon 22, and many others. David does the job of shar- just as much as any accomplishment. While I have certainly ing what he knows personally but also searches for experts in not mastered this, the ability to embrace those failures would diverse fields to teach what he cannot. He has acted not only be my most significant accomplishment. For example, I had as a teaching fisherman but also the gatherer of fishermen so prepared for my CISSP certification while I was deployed to that each participant will be prepared even on distant shoals.” Iraq in 2009-2010. I had thirteen months of study and prepa- ration time while deployed. I felt extremely confident that I David Vaughn accepting the award: was going to ace this test when I returned. Not only did I fail I want to thank the international board for the recognition by five points, I failed the second attempt by five points as and you, Craig, for those kind words. This really goes back to well. It was then that I met and became friends with the late two people who are near and dear to my heart and probably Shon Harris. After working more closely with her to under- mentors to us all: the late Shon Harris and Jennifer Minella, a stand some of the more complex concepts, she told me that 2 local in the Raleigh area and on the (ISC) board of directors. she too had failed her first attempt at the exam. It was this Yesterday I found out the Shon Harris Scholarship Founda- failure that drove her to become one our industry’s best-sell- tion was just shy of its goal by a $1,000. I asked the Women in ing trainers/authors. I couldn’t believe it; I was so grateful for Security SIG if I could champion that effort, and all morning her taking time to mentor me. Another accomplishment that long I’ve been buzzing [I have bees on my tie] around asking has been significant in my life is the time I’ve spent serving our country in the military. December 1, 2015 marked my 18th year of military service in the United States Army Reserves; without a doubt, signing up has been the most impactful decision in my life. As a Warrant Officer in the cyber community, I am afforded the opportunity to do the things I love every single time I put on the uniform. What is the most important issue facing the industry and how would you like to see it addressed? There are many issues that face our industry, but as a father of little girl and as one whose greatest mentors have been females, the ratio of men to women in information [l-r] International President Andrea Hoy, Volunteer of the Year David Vaughn, Awards Committee security needs a lot of work. I’ve been in member Mark Hahn, and International Conference Chair and Director Stephano Zanero. leadership roles with groups like AFCEA

14 – ISSA Journal | January 2016 Association News

International that promote STEM2, (ISC)2 that offers Safe these things. For me, I think that this is a way to address the and Secure Online, Microsoft’s DigiGirlz, and now the ISSA gender gap, by being involved with organizations that foster Women in Security Special Interest Group. According to a re- and promote fun opportunities for all. cent story I read on CNN, “Each year the number of women What would you like to say to your peers? studying and pursuing careers in technology goes down by 2 0.5 percent; thus by 2043 at the current trend less than one To my fellow members of ISSA, (ISC) , AFCEA, InfraGard, percent of the global tech workforce will be female.” Contrib- and the other volunteer organizations and events that I enjoy uting to the groups trying to provide and promote outreach being a part of—please understand that my personal gain has to all professionals, male or female, it’s a start in the right di- always been the ability to learn from those experiences and to rection. My daughter, who just turned eight, has already ex- apply them to all aspects within my life. To those peers who pressed a keen interest in my line of work, which certainly do not belong to any of these organizations, I would encour- makes the time invested seem far more worthwhile. We enjoy age you to take the leap! Network and contribute back to our working on projects together like Barcode Shmarcode, a con- community! It takes all of us working together to identify and test that our project won last year. Her interest isn’t motivated mitigate the issues that create the various challenges we all by being a female; it’s motivated because she has fun doing face. — David Vaughn, Volunteer of the Year

code 16UISSAFCD to save $175 off a full pass. Use compli- Industry Webinar mentary expo code 16UISSAXPO for an expo pass. Dubai – February 29-March 3, 2016 MIS Training Institute warmly invites ISSA members to the 8th Annual Chief Information Security Officer Middle East Summit & Roundtable, February 29-March 3, 2016, Habtoor Did you miss the fourth webinar in the “Digital Identity In- Grand Hotel, Dubai. The four-day summit brings together sights” educational webinar series focused on digital identi- global companies and governments in the Middle East and ty security, presented in partnership with Thales e-Security? GCC region with peers internationally to share insights on Digital Certificates – A Critical Line of recent projects, deployments, transformations and achieve- ments. Receive 20-percent discount as an ISSA member. Use Defense against Cybercrime code ISSA2016 on the online registration system to redeem Access the Dec. 16, 2015, recorded presentation at www. your discount, or contact Joleen Sibley, Head of Delegate Re- issa.org => Learn => Web Events => Industry Webinars. lations, [email protected]. To register, please visit www.ciso-summit.com/ciso-middle-east.html. Digital certificates are a critical line of defense against cybercrime. From authenticating traditional user end- Turkey – May 17-18, 2016 points to enabling trusted e-commerce purchases, digital ENITSE Enterprise IT Security Conference & Exhibition will certificates and the public key infrastructure (PKI) that be held May 17-18, 2016, in Istanbul, Turkey. ENITSE is one of issues them create a high-assurance foundation for digital the most important events in EMEA in its category. The con- security when implemented correctly. ference speeches will be either in Turkish or English and si- Partnering to provide best-in-class PKI solutions, Certi- multaneously will be translated to Turkish or English. When fied Security Solutions (CSS) and Thales e-Security invite registering, indicate you are a member of ISSA to obtain a you to this recorded live webinar discussing digital cer- 10-percent delegate discount. For more information about tificate use cases, the security threat landscape, and res- ENITSE Conference, please visit event website www.enitse. olutions to dangerous enterprise problems putting your com or contact [email protected]. company at risk for costly outages and data breaches. Copenhagen – May 10-13, 2016 13th Annual CISO Europe Summit & Roundtable 2016 in Copenhagen, May 10-13. Europe’s favorite event for CISOs Affiliated Events will reconvene at the Copenhagen Marriott Hotel. Early bird ISSA Special RSA Conference 2016 Discount discount ends soon; register before 12/31/2015 to save £600 Secure your seat at RSA® Conference 2016, February 29– and get a free signed book. Receive 20-percent discount as March 4, in San Francisco. Register today for your five-day an ISSA member. Use code ISSA2016 on the online registra- full-conference pass, and gain access to two halls of 500+ ex- tion system to redeem your discount or contact Joleen Sibley, hibitors, 400+ expert-led sessions, unprecedented network- Head of Delegate Relations, [email protected]. To register, ing, and not-to-be-missed keynote speakers. Use discount please visit www.cisoeurope.misti.com/registration-details.

January 2016 | ISSA Journal – 15 Promoting Public Cloud DEVELOPING AND CONNECTING ISSA Workload Security: Legal and CYBERSECURITY LEADERS GLOBALLY Promoting Public Cloud Technical Aspects Workload Security: Legal and Technical Aspects

By Jason Paul Kazarian

As workloads are moved from privately owned, on-premises infrastructure to public cloud computing platforms, an organization must rely more on external legal and technical aspects (compared with internal policies, procedures, and tools) for managing security. This article reviews such aspects from a security perspective.

Abstract Cloud systems defined As an organization moves its workloads from privately loud computing is a natural evolution of improve- owned, on-premises infrastructure to public cloud comput- ments in time-sharing services, virtual-machine ing platforms, the organization’s Chief Information Security operating systems, and network communications.1 Officer (CISO) is tasked with maintaining information secu- CCloud computing offerings are generally classified into one rity. This requires a CISO to rely more on external legal and of three types:2 technical aspects (compared with internal policies, proce- Infrastructure as a Service (IaaS): deployment of discrete dures, and tools) for managing security. • information system components, such as individual serv- This article reviews such aspects from a security perspective. ers, firewalls, networks, and so on in a public-cloud envi- It introduces a definition of various cloud service types, dis- ronment. In general, IaaS requires the installation of an cusses legal aspects of cloud security starting with the impact operating system and an application on a virtual machine. of a service level agreement (SLA) on overall cloud security, Amazon Web Services (AWS) Elastic Compute Cloud including SLA limitations and obligations, and continues the (EC2) and Rackspace Cloud Servers are examples of IaaS. legal discussion with data residency aspects, including con- Platform as a Service (PaaS): deployment of general pur- cerns for multi-national organizations. • pose nodes, such as database servers and load balancers. I note the importance of investigation availability in pre- These nodes are ready-to-run, but integrating PaaS nodes venting and resolving security breaches, especially when the with code or scripts is necessary to drive an end-user ap- source of the attack is now usually cloud-based as well, and close with technical aspects of cloud security such as data-at- 1 “Cloud Computing,” Wikipedia, accessed November 20, 2015, https://en.wikipedia. org/wiki/Cloud_computing. rest protection and key management. 2 Vaquero, Luis M., et al. “A break in the clouds: towards a cloud definition.”ACM SIGCOMM Computer Communication Review 39.1 (2008): 50-55.

16 – ISSA Journal | January 2016 Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian

plication. AWS Remote Database Service (RDS) and the the term “SLA” to designate all of the service agreements be- use of force.com as a mobile development platform are ex- tween an organization and a provider. amples of PaaS. Legal obligations and limitations • Software as a Service (SaaS): deployment of complete, ready-to-run, end-user applications. These applications Since it is a contract, the SLA specifies the legal requirements may require administration or configuration, such as the for the involved parties. Some of these are obligations, for ex- integration of a login function with a directory server. In- ample the requirement to protect non-public access creden- stances delivered by the AWS Marketplace and the use of tials. Others are limitations, for example consuming cloud SalesForce as a browser-based application are examples of services within the boundaries of acceptable uses. SaaS. One “feature” of the SLA is to limit the liability of a cloud Most organizations will use all three offering types. For exam- service provider in the event of a third-party dispute. For this ple, an organization may use Azure Compute for IaaS, Azure case, the SLA should clearly state what resources the provid- SQL Database for PaaS, and Office 365 for SaaS. Even though er will and will not offer to resolve the dispute. Often times these are Microsoft offerings, a CISO using all of them would the organization is solely responsible for the data stored with (as we discuss in the following section) be subject to multiple the provider except in limited circumstances. A CISO should service level agreements. ask counsel to review the SLA with an eye towards recovering from a security-related third-party dispute. Service level agreements More importantly, the SLA will require an organization to The service level agreement (SLA) is the contracting vehicle indemnify the cloud provider for disputes that may arise for implementing cloud security. The SLA, along with oth- from using the services as well as stipulate when access to er documents, such as an Acceptable Use Policy, Customer services may be terminated, either permanently or temporar- Agreement, and Terms of Service, defines the limitations ily. Further, the SLA will grant the provider the flexibility to and the responsibilities of the customer and service provider. change terms and conditions at will, perhaps without notice, Without sufficient support from the SLA, it is not possible to requiring that the organization regularly monitor the latest implement cloud security best practices.3 SLA version for changes. In many cases, the SLA is non-ne- Note that the SLA may also include service-specific provi- gotiable. In almost all cases, using the service constitutes SLA sions that apply only to some cloud service types, such as acceptance. PaaS, but not others, such as IaaS. For example, customers The legal framework of a cloud SLA is quite different from using AWS RDS must agree that unregistered nodes not used on-premises software licenses. In the latter, larger enterprises for thirty days may be deleted. There is no a similar provision are able to (and often do) insist on specific terms and con- for AWS EC2. Throughout the rest of this article, I will use ditions more favorable to the entity in exchange for higher license premiums. Moreover, these terms often remain con- 3 William Yurek, panelist, Cloud Application and Protecting the Cloud, November fidential. By contrast, for most organizations this practice is 17, 2015, SecureHEALTH Summit, Healthcare Technology Research and Advisory Council (HTRAC), Homestead, Virginia. often restricted by the SLA, itself a public document.

January 2016 | ISSA Journal – 17 Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian

Data residency aspects Verifying compliance requires knowledge of the time, place, and manner of back-up data storage. In the worst case, the A legal aspect deserving special mention is the SLA’s defini- SLA will not specify these parameters at all. A better case tion of data residency, meaning where is cloud data physically exists when the SLA specifies data residency precisely or the stored? Privacy and security requirements vary from country CISO can control physical data duplication. For example, the to country. For example, United States citizens have privacy AWS SLA explicitly states that customer data is not stored torts,4 which allow remedy in civil court for proven damages,5 outside of the selected region,10 while Azure provides an in- while EU citizens have privacy rights,6 which allow remedy in terface for disabling data duplication.11 justice court for negligence. Although we may pick a data center within the geographic “Safe Harbor” annulment boundaries of one country, the governing SLA may allow the The recent annulment of “Safe Harbor” by the European provider to store a back-up copy of that data in another coun- Union (EU) Court of Justice (EUCJ) illustrates the impact of try. Does this provision add risk to the organization? In many data residency policies on public-cloud operations. The EUCJ cases the answer is yes. For example, Germany regulates the is responsible for determining if a third country ensures ad- transmission of personal information, requiring a CISO to equate protection to EU citizens when processing personal verify equivalent protection exists for back-ups residing out- data.12 side the EU.7 On October 6, 2015, the EUCJ declared its previous accep- Sometimes a service provider will have a different data resi- tance of US Safe Harbor Privacy Principles (hereinafter Safe dency policy depending on the service offered. For example, Harbor) invalid. This reversed a fifteen-year policy of allow- Microsoft has a blanket online service policy that allows storing data governed by Directive 95/46/EC to be stored in the ing and transferring customer data to any region of the world US despite an absence of a national data protection law.13 where Microsoft conducts business. This policy offers excep- This change sent shock waves through the industry, especial- tions on a service-by-service basis.8 Thus Azure, InTune, Dy- ly since most providers rely on Safe Harbor as a focal point namics, and Office 365, while cohesively marketed as cloud of their privacy policy. As of this writing, manual inspection services, all have different data residency policies.9 shows Amazon, Datapipe, Dell, Microsoft, and Rackspace still cite Safe Harbor as a point of compliance. We do not yet 4 Samuel D. Warren and Louis D. Brandeis. “The right to privacy.”Harvard law review (1890): 193-220. 5 “Tort Law,” Free Dictionary, Farlex, Inc., accessed December 23, 2015, http://legal- dictionary.thefreedictionary.com/Tort+Law. 10 “AWS Customer Agreement,” Amazon Web Services, accessed December 17, 2015, 6 David L. Baumer, Julia B. Earp, and J. C. Poindexter. “Internet privacy law: A http://aws.amazon.com/agreement/. comparison between the United States and the European Union.” Computers & 11 “Introducing Geo-replication for Windows Azure Storage,” Microsoft, Security 23, no. 5 (2004): 400-412. accessed December 17, 2015, http://blogs.msdn.com/b/windowsazurestorage/ 7 Paul M. Schwartz, “European data protection law and restrictions on international archive/2011/09/15/introducing-geo-replication-for-windows-azure-storage.aspx. data flows.” Iowa L. Rev. 80 (1994): 471. 12 “Commission decisions on the adequacy of the protection of personal data in third 8 “Privacy and Cookies,” Microsoft, updated June, 2015,https://www.microsoft.com/ countries,” European Union Court of Justice, accessed December 18, 2015, http:// privacystatement/en-us/OnlineServices/Default.aspx. ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm. 9 “Microsoft Trust Center,” Microsoft, accessed December 17, 2015,https://www. 13 European Union Court of Justice, Schrems v Data Protection Commissioner, microsoft.com/en-us/trustcenter/privacy/you-are-in-control-of-your-data. COM(2015) 566 final, November 6, 2015.

Click here for On-Demand Conferences www.issa.org/?OnDemandWebConf

Forensics: Tracking the Hacker Breach Report: How Do You Utilize It? 2-Hour Event Recorded Live: November 17, 2015 2-Hour Event Recorded Live: Tuesday, May 26, 2015 Big Data–Trust and Reputation, Privacy–Cyberthreat Intel Open Software and Trust--Better Than Free? 2-Hour Event Recorded Live: Tuesday, October 27, 2015 2-Hour Event Recorded Live: Tuesday, April 28, 2015 Security of IOT–One and One Makes Zero Continuous Forensic Analytics – Issues and Answers 2-Hour Event Recorded Live: Tuesday, September, 22, 2015 2-Hour Event Recorded Live: April 14, 2015 Biometrics & Identity Technology Status Review Secure Development Life Cycle for Your Infrastructure 2-Hour Event Recorded Live: Tuesday, August 25, 2015 2-Hour Event Recorded Live: Tuesday, March 24, 2015 Network Security Testing – Are There Really Different Types What? You Didn’t Know Computers Control You? / ICS and of Testing? SCADA 2-Hour Event Recorded Live: Tuesday, July 28, 2015 2-Hour Event Recorded Live: March 2, 2015 Global Cybersecurity Outlook: Legislative, Regulatory and Cybersecurity – New Frontier Policy Landscapes 2-Hour Event Recorded Live: February 24, 2015 2-Hour Event Recorded Live: Tuesday, June 23, 2015 A Wealth of Resources for the Information Security Professional – www.ISSA.org

18 – ISSA Journal | January 2016 Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian understand how the industry will evolve to deal with this change. At a minimum, a CISO with multi-national responsibilities should take measures to protect the organization from vi- olating this directive. One measure would be to verify data subject to the directive is not resident in the US. Another measure would be to encrypt regulated data when it stored in the US. Counsel should be engaged to assess if the measures ISSA Journal 2016 Calendar taken are adequate to comply with the directive. Past Issues – click the download link: Investigation availability Many organizations discover data breaches all too late. JANUARY According to the 2014 Data Breach Investigation Report Securing the Cloud (DBIR),14 while 87 percent of breached systems surveyed were Editorial Deadline 11/22/15 compromised on the order of minutes or less time, 99 percent FEBRUARY of breaches were discovered in on the order of weeks or more Big Data / Data Mining & Analytics time. Or more abstractly, the survey found a breach will be Editorial Deadline 12/22/14 discovered in no sooner than O(nk) time if the compromise MARCH originally happened in no later than O(n) time. Mobile Apps A major reason for this latency per the DBIR is that only 12 Editorial Deadline 1/22/16 percent of web fraud is detected through internal audits or APRIL controls, while 74 percent is reported by customers, ostensi- Malware Threat Evolution bly after reviewing monthly statements. This demonstrates Editorial Deadline 2/22/16 that even though a system may have a large attack surface, for MAY example the infrastructure involved in web e-commerce, the Breach Reports – investigation surface for detecting misuse is small by com- Compare/Contrast parison, for example customer monthly statements. Editorial Deadline 3/22/16 Among other aspects, the SLA defines the frequency and type JUNE of monitoring available to the customer from the provider, Legal, Privacy, Regulation such as access attempts or system loading. In many cases, Editorial Deadline 4/22/16 more detailed metrics are available at a higher premium rate. JULY But in other cases, the SLA will not afford a monitoring ca- pability similar to on-premises systems. The cognizant CISO Social Media Impact Editorial Deadline 5/22/16 must determine if the monitoring available will support current security practices (or work around limitations if support AUGUST is inadequate). Internet of Things Editorial Deadline 6/22/16 Breach reporting policies also vary from provider to provider. In some cases, the provider will notify the customer of a SEPTEMBER breach upon detection. In other cases, a provider will noti- Payment Security fy the customer only when a full investigation is concluded. Editorial Deadline 7/22/16 Some providers ask that customers not post potential vulner- OCTOBER abilities publicly, ostensibly as such exposure may introduce Cybersecurity Careers & Guidance risk for other customers.15 In some cases, lack of breach no- Editorial Deadline 8/22/16 tification upon detection may contradict local laws requiring NOVEMBER immediate notification instead.16 Practical Application and Use of Cryptography Organizations relying on vulnerability testing should verify Editorial Deadline 9/22/16 their practices comply with the SLA. A CISO would expect DECEMBER an SLA to prohibit vulnerability testing against resources Best of 2016 outside her subscription. But some providers prohibit all such You are invited to share your expertise with the association 14 Verizon Enterprise Solutions. “2014 Data Breach Investigations Report.” Accessed and submit an article. Published authors are eligible December 18, 2015, http://www.verizonenterprise.com/DBIR/2014/reports/ rp_Verizon-DBIR-2014_en_xg.pdf. for CPE credits. 15 “Rackspace Security Vulnerability Reporting,” Rackspace US, Inc., accessed December 17, 2015, http://www.rackspace.com/information/legal/rsdp/. For theme descriptions, visit www.issa.org/?CallforArticles. 16 “Security Breach Notification Laws,” National Conference of State Legislatures, October 22 2015, http://www.ncsl.org/research/telecommunications-and- [email protected] • WWW.ISSA.ORG information-technology/security-breach-notification-laws.aspx.

19 – ISSA Journal | January 2016 Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian testing entirely unless authorization is obtained in advance.17 Encryption key management A CISO may be forced to avoid using this testing on cloud When a CISO uses encryption in a public cloud environment, workloads. the question of key management is raised. In many cases, the Finally the DBIR reports that as of late 2012, the origin of CISO can choose to store these keys either in the cloud itself denial-of-service attacks has migrated from compromised or in privately owned infrastructure. For example, AWS Sim- networks of desktop and server machines with slower, “last ple Storage Service (S3) offers an application programming mile” Internet access links to public cloud-based networks interface (API) for key management.23 One may encrypt S3 with data-center-grade pipes. A CISO should consider if the objects with a key managed either within the AWS infra- SLA offers adequate resources for investigating a potential at- structure or within corporate infrastructure. tack from a neighboring rack. In the former case, an implementer uses the AWS API to cre- Data at rest limitations ate and store an encryption key within S3 itself. In the latter case, a programmer uses the organization’s resources to cre- Many cloud providers now offer (or soon will be offering) ate and store a key, using a different API to grant S3 key access data-at-rest protection for block storage. This protects blocks only when storing or retrieving an object. While the former stored on a disk partition from being read by another party approach is simpler for the implementer, the latter approach by either shuffling the file system index,18 encrypting blocks offers the organization more control over cryptographic re- within the file system,19 or encrypting at the virtual ma- sources. chine-to-physical storage interface.20 In general, data-at-rest methods offer protection only while the data container is not Should a CISO elect to use enterprise-based (as opposed to in use: once loaded, a driver translates the protected structure provider-based) key management, the organization has mul- into a normal one. tiple options, including the following: A CISO using data-at-rest protection as part of a comprehen- • Software provisioning: use individual application-level sive security policy should verify multiple factors in cloud libraries to generate keys. environments. The first is the protection algorithm itself: is Static provisioning: use a centrally managed appliance to 21 • index shuffling sufficient? Or should the CISO insist on a generate and store static keys. higher security, lower performance block encryption algo- Dynamic provisioning: use an appliance to generate keys rithm? • dynamically. More importantly, a CISO should determine what storage These options are sorted from highest to lowest management structures offer data-at-rest protection. In particular, are all complexity. Managing software provisioning is the most disk partitions protected? Or just data storage partitions? complex as the entire burden of key management falls on the This differentiation is significant when a swap partition, used implementer, who is responsible for choosing a key algorithm, for storing virtual memory as opposed to files, remains un- invoking a generation function, and storing the resulting key protected. In this case, swap space is subject to key scaveng- securely for use and subsequent retrieval. ing attacks.22 Managing static provisioning is less complex as the imple- If the cloud provider offers data-at-rest protection without menter may use an identity string, such as a key name, to gen- role-based access methods, the protection afforded may be erate a key, store this key in the appliance, and later retrieve limited to storage device theft, somewhat moot for mass stor- the same key when needed. However the programmer must age in a remote data center. May an authorized IaaS user, for manage associating this key with an external object, such as a example, duplicate a virtual machine, export the “snapshot” user name or device serial number. into a different account, and run the copy? Or is this oper- ation restricted, based on the user’s role, with dual controls Managing dynamic provisioning is the least complex as offered to regulate the export of protected machines? keys are generated based on an identity string and associated metadata. The implementer need not worry about storing or retrieving keys, but merely pass the appropriate identity 17 “Acceptable Use Policy,” Datapipe Inc., accessed December 17, 2015, https://www. datapipe.com/legal/acceptable_use_policy/. string to the appliance and receive the necessary key in re- 18 Sabrina De Capitani di Vimercati, Sara Foresti, Stefano Paraboschi, Gerardo Pelosi, sponse. and Pierangela Samarati. “Efficient and private access to outsourced data.” In Distributed Computing Systems (ICDCS), 2011 31st International Conference on, pp. 710-719. IEEE, 2011. The first two methods of key management are state-full, 19 Dawn Song, Elaine Shi, Ian Fischer, and Umesh Shankar. “Cloud data protection for meaning that each key used must be generated, stored, and the masses.” Computer 1 (2012): 39-45. managed. As the number of keys increases, the management 20 Michael Austin Halcrow, “eCryptfs: An enterprise-class encrypted filesystem for linux.” In Proceedings of the 2005 Linux Symposium, vol. 1, pp. 201-218. 2005. burden increases as well. The last method is stateless, mean- 21 Rearranging the file system’s directory structure in a reversible manner such that the ing keys are generated dynamically when needed. As the location of files on the disk surface are obscured but the actual blocks containing data remain in their original form. This low-overhead data protection method blocks number of keys increases, the management burden stays the attacks that retrieve data through the file system, but not attacks that scan data blocks directly. 22 Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. “Cross-VM side channels and their use to extract private keys.” In Proceedings of the 2012 ACM 23 Amazon Web Services, “Class Encryption Key” AWS SDK for Java – 1.10.35. http:// conference on Computer and communications security, pp. 305-316. ACM, 2012. docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/index.html.

20 – ISSA Journal | January 2016 Promoting Public Cloud Workload Security: Legal and Technical Aspects | Jason Paul Kazarian same. Thus stateless solutions cost less than state-full solu- cloud. Service level agreements govern the CISO’s ability to tions at scale. implement and maintain security policy. These agreements Key management overhead cost depends on the number of are complex and should be reviewed by legal counsel. A keys issued. Organizations with few protected objects, per- multi-national organization must consider data residency group keying (all members of a group share the same key), definitions for each country’s workload. The type of cloud and infrequent rotation policies need to manage fewer keys, service chosen (IaaS, PaaS, or SaaS) may limit an organiza- perhaps in the tens of thousands annually. Organizations tion’s ability to perform pre- and post-breach investigations. protecting all cloud objects, implementing per-user keying Within limits, data-at-rest protection offers some security (each user has a unique key, possibly shared within a group), benefit for cloud data storage. Organizations implementing and rotating frequently may manage millions of keys annual- encryption as part of security best practices benefit from ly. A CISO should quantify the cost of key management when considering key management issues. Finally, the CISO may moving to the public cloud. need to advocate for hybrid infrastructure to meet security needs even when others promote moving all IT resources to Security aspects of hybrid infrastructure the cloud. Some organizations are moving rapidly to 100 percent public About the Author IaaS to reduce IT costs, especially when the negotiated cost Jason Paul Kazarian is a Senior Architect for of service is less than the burdened rate of on-premises in- Hewlett Packard Enterprise and specializes frastructure. But it behooves a CISO to consider hybrid in- in integrating data security products with frastructure—the integration of on-premises hardware with third-party subsystems. He has thirty years public IaaS—for maintaining strong security. Organizations of industry experience in the aerospace, da- with mission-critical and root-of-trust needs may require tabase, security, and telecommunications do- this hybrid approach. mains. He has an MS in Computer Science Many cloud providers include language in the SLA that bans from the University of Texas at Dallas and a BS in Computer mission-critical workloads, usually defined where the failure Science from California State University, Dominguez Hills. He would increase the risk of losing life, causing injury, or dam- may be reached at [email protected]. aging property. Sometimes a specific use, such public transportation, is also banned. In such cases, a CISO might advocate that affected workloads remain on-premises with public IaaS used for limited purposes, such as archival backup of these applications. A hardware security module (HSM) is a physical device for generation and storage of cryptographic material in a secure environment.24 A CISO typically relies on an HSM as root-of- trust and to avoid security risks from software vulnerabilities during cryptographic processing. At the moment, multiple providers offer cloud-based HSM capabilities as a premium service.25 While a cloud-based HSM may protect the organization from key inspection by an attacker or the service provider, other benefits may be restricted, such as using the HSM as a root- of-trust for locally generated keys and certificates. A CISO should verify a cloud-based HSM will support all of the organization’s security practices, including auditing, compliance, dual control, and role policies, before replacing on-premises security equipment with cloud equivalents. Summary The CISO faces multiple security challenges when moving workloads from private, on-premises resources to a public

24 “Hardware Security Module,” Wikipedia, accessed December 17, 2015, https:// en.wikipedia.org/wiki/Hardware_security_module. 25 “Azure Key Vault,” Microsoft, accessed December 17, 2015,http://blogs.technet. com/b/kv/archive/2015/01/08/azure-key-vault-making-the-cloud-safer.aspx; “AWS Cloud HSM,” Amazon Web Services, accessed December 17, 2015, https://aws. amazon.com/cloudhsm/.

January 2016 | ISSA Journal – 21 DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY

Gaining Confidence in the Cloud

By Phillip Griffin – ISSA Fellow, Raleigh Chapter and Jeff Stapleton – ISSA member, Fort Worth Chapter

In cloud deployments organizations remain responsible for ensuring the security of their data. Can cloud-based technologies, such as the blockchain, play a role in providing cloud subscribers assurance their data is being properly managed and that their cloud service provider is in compliance with established security policies and practices?

Abstract The Cloud offers organizations faster, cheaper, richer, and sometimes more secure application deployments than they them- Figure 1 – Standards overview selves can orchestrate. However, organizations remain re- has physical control over the data—whether within a virtual sponsible for ensuring the security of their data, even when environment or the cloud—the organization remains respon- they transfer its physical control to a cloud service provider sible for ensuring it can meet legal and regulatory control (CSP). What information does an organization require from requirements. For the financial services industry, the X9.125 a CSP to gain confidence they are meeting their data gover- standard for cloud compliance is being developed to address nance obligations? Can cloud-based technologies, such as the requirements and compliance between a cloud subscriber blockchain, play a role in providing cloud subscribers assur- and its CSP. ance their data is being properly managed and that their CSP is in compliance with established security policies and prac- Some background might help clarify how X9.125 fits into -fi tices? For the financial service industry the X9.125 standard nancial and cloud services. As shown in figure 1, the Ameri- 3 is under development to define requirements and provide a can National Standards Institute (ANSI) is the United States’ 4 compliance model using blockchain technology. representative to the International Standards Organization (ISO) among others. However, ANSI does not develop stan- Introduction dards; rather, they accredit other organizations as industry-specific standards developers and technical advisory s organizations embrace the Cloud and migration or groups (TAG) to ISO technical committees. The Accredited deploy applications and invariably data, they trans- Standards Committee X95 (ASC X9 or just X9) is one such fer control from internal processes to a cloud service organization designated by ANSI to perform the following Aprovider (CSP). However, organizations (subscribers) remain roles: responsible for industry information-security compliance despite the delegation to the CSP. Health care1 data and pay- • Develop ANSI standards for the financial services in- ment2 data notwithstanding, organizations must ensure they dustry exert adequate governance over how their data is protected. Regardless of where their data is located and who actually 3 www.ansi.org. 1 http://www.hhs.gov/ocr/privacy/index.html. 4 www.iso.org. 2 https://www.pcisecuritystandards.org/. 5 www.x9.org.

22 – ISSA Journal | January 2016 Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton

• Represent the United States as the TAG to ISO technical committee 68 Financial Services (TC68) • Manage TC68 and as the official secretariat Figure 2 – Controls overview Consequently, many X9 standards are submitted to ISO for international standardization. Further, X9 cedures (who). They also need to securely manage resources, often initiates ISO work items, adopts ISO financial stan- including people, places, and processes. IT controls include dards, and retires ANSI standards in favor of its ISO version. network, systems, and applications addressing authentica- Sometimes the US markets are uniquely distinct that a do- tion, authorization, and accountability (AAA). Data must mestic X9 standard is needed in absence or parallel with an also be managed across its life cycle including creation, dis- ISO standard. The cloud security work item is assigned to the tribution, storage, and termination. When cryptography is X9F4 cryptographic protocols and application security work used, the keys must be managed in a secure manner. How group; Jeff Stapleton is the X9F4 chair, and Phil Griffin is the the controls are deployed and managed depends on the re- X9.125 editor. lationship between the CSP and the subscriber is depicted in One of the first X9F4 actions was to review the existing body figure 2: of work including special publications from the National • The topmost solid arrow shows the case when controls are Institute of Standards and Technology (NIST),6 Federal Fi- provided solely by the CSP to the subscriber. For example, nancial Institutions Examination Council (FFIEC)7 cloud the CSP might encrypt the subscriber’s data in storage us- computing recommendations, Central Intelligence Agency ing cryptographic keys managed solely by the CSP. (CIA) views on cloud computing, and the Cloud Security Al- • The middle arrows show cases when controls are mutually liance (CSA) research on comparable audit programs. These managed by both the CSP and the subscriber. For exam- materials were digested to formulate a core set of security ple, data in transit is encrypted using a session key that is requirements for managing and securing information in the dynamically established, based on an exchange of public cloud, whether this information is located in a private cloud key certificates between the CSP and the subscriber. completely under control of the organization, or managed in a hybrid or public cloud environment. Regardless of the cloud • The bottommost dotted arrow shows the case when con- service type or environment, these basic questions were iden- trols are provided solely by the subscriber. For example, tified: the subscriber might encrypt or tokenize data before it is sent to the CSP for storage or processing. 1. What security controls does the cloud subscriber (the consumer of the cloud services) need to protect the confi- • The dotted arrow between the CSP and its service sub-pro- dentiality and integrity of its data? vider shows the case when controls are provided indirect- ly to the subscriber by the sub-provider. For example, the 2. What security controls does the cloud service provider sub-provider might be a tokenization service used by the offer to protect the confidentiality and integrity of its sub- CSP to protect the subscriber’s data in storage. scriber’s data? While the X9.125 is still work in progress, another major as- 3. What security controls provided by the cloud service pro- pect is to develop a reporting model such that a cloud sub- vider can be monitored by the cloud subscriber to verify scriber can verify a CSP’s compliance. Compliance might be compliance? to the CSP policy and practices aligned with the subscriber, While the development of X9.125 is still work in progress or preferably the security requirements being defined in the and has undergone several redesigns, cloud services and its X9.125 standard adopted by both parties. Regardless, this im- adoption in the financial industry have continued to evolve. plies that the CSP provides compliance information that is Thus the X9.125 standard is attempting to hit a moving tar- reliable and verifiable. One method for a digital ledger might get. X9 standards provide requirements (“shall”) and recom- be blockchain technology, more contemporarily known be- mendations (“should”) that are practical and verifiable. Thus, cause of Bitcoin. as shown in figure 2, the standard needs to address security controls and interoperability between the cloud service pro- Blockchains vider and the cloud subscriber, in addition transparency of Blockchains have been around for decades. Notably Merkle any service sub-providers. trees were addressed in a US Patent [2] issued in 1982; so Cloud service providers, like any organization relying on in- the technology is well vetted. While the Bitcoin blockchain formation technology (IT), need to have their security con- is used as a general ledger for Bitcoin transactions, any in- trols documented in policy (why), practices (what), and pro- formation can be encapsulated within a blockchain that can provide data integrity. Incorporating timestamps within the 6 http://csrc.nist.gov/publications/PubsSPs.html. blockchain (as does Bitcoin) also provides a historical record 7 http://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_ computing_-_public_statement.pdf

January 2016 | ISSA Journal – 23 Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton

Figure 3 – Simple blockchain of what happened when and by whom. Consider figure 3 as modifies the data so it contains PJ and no longer PK, and pub- an example. lishes it as the real Block K. The attacker then updates Block The blocks are number sequentially: Block 0, 1…to N. There is K+1 to link to Block J instead of Block K. Thus, the blockchain always an initial block conventionally numbered “0” to indi- has been compromised but yet still appears to be valid since cate its special nature. There is always a last block (N) which is all of the links are valid. Without some method of either ver- the most current addition to the blockchain. Each block con- ifying the publisher or the whole blockchain, a simple substi- tains data, in this example a cloud service provider’s policy tution attack is possible. Replacing the previous link as a sim- numbered accordingly to its block number: P0, P1…PN and ple hash of the previous data with a digital signature would so on. In this example, each block contains a hash (H) of its prevent the substitution attack; however, this would require own policy data, essentially a link to itself, so Block 0 contains the support of a public key infrastructure (PKI) with certif- H(P0), Block 1 contains H(P1), and Block N contains H(PN). icates, private key storage, certificate authorities, revocation Additionally, each block contains a hash of its processor, so lists, and the like. Alternatively, replacing the previous link Block 1 contains H(P0) as a link to Block 0, and Block N con- with a hash chain achieves the same anti-substitution control tains H(PN-1) as a link to Block N-1. Note that Block 0 does without the PKI overhead. not contain a previous link since Block 0 is the blockchain Referring back to figure 3, we have provided another a chain origin. At this point one might think that the blockchain is field where each block contains a chain numbered by its block completely reliable, but it turns out that simple links based number: C0, C1…CN. Each chain is a link to all of the pre- on a hash of just the data in the previous block is unreliable. vious blocks, which is a hash of two elements: the previous Consider an attacker that takes some intermediary Block K chain and a hash of its own data. Thus, Block N contains a which links to Block K-1 and has Block K+1 linked to it. The hash of CN-1 and a hash of its own data H(PN), that is H(CN- attacker makes a replica of Block K, which we will call Block J, 1, H(PN)). Likewise, Block 1 contains a hash of C0 and a hash of its own data H(P1), namely H(C0, H(P1)). Block 0 only contains a hash of a hash of its own data H(H(P0)) because there is no previous chain. In this manner an attacker cannot re- place any of the published blocks without updating the whole chain, which is the basis of the Bitcoin blockchain security. The presumption is that it is cheaper to be honest than dis- Don’t Miss This Web Conference! honest. If a majority of CPU power is controlled by honest nodes, 2015 Security Review & the honest chain will grow the fastest and outpace any Predictions for 2016 competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all 2-hour live event – 9:00 am PDT, 12:00 pm EDT, blocks after it and then catch up with and surpass the work 5:00 pm London, Tuesday, January 26, 2016. of the honest nodes. We will show later that the probability Yes, once again some brave (or foolish?) folks will of a slower attacker catching up diminishes exponentially volunteer their insights and make predictions for as subsequent blocks are added. [3] the 2016 infosec challenges. Join us, make notes, Much of the media discussion around Bitcoin has focused and then check back in a year to see how we did! on its role as a crypto currency. Bitcoin provides a means Moderator: Michael F. Angelo, CRISC, CISSP, Chief for achieving efficient, anonymous financial transactions. In Security Architect, NetIQ Corporation, ISSA Web this context, Bitcoin is sometimes described as a disruptive Conference Committee Chair technology, one that facilitates the activities of drug deal- ers and terrorists, one that threatens to disintermediate and For more information on this or other webinars: undermine the existing financial services industry, or one www.issa.org => Learn => International Web that presents banks who serve Bitcoin industry players with Conferences.

24 – ISSA Journal | January 2016 Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton heightened “Bank Secrecy Act (BSA)/Anti-Money Launder- originated by the next miner to solve the hash solution. The ing (AML) Act compliance risks” [1]. idea is that the amount of work to perpetrate fraud far ex- On the other hand, Bitcoin has seen adoption by e-commerce ceeds the work factor for mining. Sometimes a race condition stalwarts such as PayPal, Overstock, Dish Network, and Dell creates a bifurcated blockchain generated by two different Computers, as wells as “many community-driven organiza- Bitcoin nodes; however, consensus processing will eventually tions” that “allow anonymous donations using Bitcoin” [6]. prune the blockchain to only one authentic version. There is Despite any negative aspects associated with Bitcoin, “there no central authority that provides a processing choke point, a remain many legitimate uses for Bitcoin and businesses that single point of failure, or a single point of attack. facilitate these legitimate transactions” [7]. There is also However, blockchain management is not without its prob- growing interest in leveraging the blockchain technology lems. There are orphaned blocks, which are valid but did not that underpins Bitcoin to both reduce transaction costs and make it into the main Bitcoin chain. There are always uncon- strengthen financial services security. To this end, more gen- firmed transactions waiting for the next block, which might eral purpose applications of the blockchain that are far re- get lost during the bifurcation and pruning process. There are moved from the use of Bitcoin to facilitate financial services double spends, transactions where the same Bitcoin fractions transactions are being considered. For example, blockchains get spent by the same entity to two different receivers. There might be used to evaluate, monitor, assess, or even audit a are strange transactions, where the syntax or semantics are cloud services provider: invalid. And there are outright rejected transactions dropped by Bitcoin nodes that never get included in the chain. Some • The CSP might publish its information security policy and practices in a blockchain providing a historical record of of these might be processing errors due to software bugs, Bit- versions and changes. In this manner, new subscribers can coin versions, or rules issues. Alternatively, some transactions evaluate the CSP, existing subscribers can monitor chang- might be fraudulent in nature. Bitcoin fraud management is es, internal audit can assess the CSP, and professionals can relatively nascent, and without a central authority there are perform independent audits of the CSP. no arbitration or adjudication programs available. Bitcoin information is publicly accessible by definition. Hash • The CSP might distribute information security news in a blockchain providing notifications or alerts to its subscrib- algorithms provide the links between blocks and transac- ers about incidents or events about new vulnerabilities in tions, and digital signatures provide transaction integrity a reliable manner. Today, this information is typically pro- and authentication. Non-repudiation is not feasible as Bitcoin vided via emails or blogs. identifiers support anonymity, and the lack of arbitration does not meet legal needs discussed in the Digital Signature Guide- • The CSP might issue information security details in a lines [4] and the PKI Assessment Guideline [5]. Further, the blockchain providing real-time data about its controls. Bitcoin blockchain does not offer data confidentiality. Some In this manner, existing subscribers can monitor the CSP of the cloud server provider’s information security manage- for its dependability, consistency, and overall trustworthi- ment data is sensitive such that it might need to be encrypted, ness. Another name for this would be compliance. but only accessible by authorized clients or regulatory bodies. Hence, the concept of using blockchains to record and ver- Thus, key management schemes need to be considered. ify CSP compliance data is not as farfetched as might have There is also growing interest in cloud data confidentiali- been initially considered. For cloud subscribers to gain such ty and user anonymity. In a paper presented at the Security assurance, and to exercise due diligence in the conduct of Standardization Research (SSR) 20158 conference held re- their governance and risk management responsibilities, they cently in Tokyo, Japan, researchers McCorry, Shahandashti, need some insight into what goes on under the covers at their Clarke, and Hao proposed a new category of Authenticated CSP. Cloud subscribers need the same types of operational Key Exchange (AKE) protocols. These new protocols, which evidence of compliance from their CSP that they would ex- “bootstrap trust entirely from the blockchain,” are identi- pect their internal IT departments to provide. Whether an fied by the authors as “Bitcoin-based AKE” [6]. The SSR 2015 organization’s data is inside its firewall or floating around in paper describes two new protocols, one with a guarantee of the cloud, informed information security management prac- forward secrecy, and offers proof-of-concept prototypes with tices still depend on access to the basics: vulnerability scan experimental results to demonstrate their practical feasibil- results, penetration test results, system logs, application logs, ity. Both protocols provide greater anonymity than can be analytical results, security alerts, and summarized informa- achieved using digital certificate or password-based AKE. tion. Compliance evidence must have origin authenticity, data integrity, and often confidentiality safeguards that pro- Following the guidance of international security standards hibit access by attackers and other unauthorized individuals. can help ensure that the same information security policies used to manage risk when information systems resides in The attractiveness of the Bitcoin blockchain includes its de- traditional non-cloud environments are also applied in the centralization. Bitcoin spenders submit their transactions cloud. Recently, the big three international security standard- (signature, inputs, outputs) to multiple Bitcoin nodes such that the transaction get published in the next block which is 8 http://www.ssr2015.com/.

January 2016 | ISSA Journal – 25 Gaining Confidence in the Cloud | Phillip Griffin and Jeff Stapleton ization bodies published Recommendation ITU-T X.1631 | that will be seriously considered with the appropriate organi- ISO/IEC 27017 Code of practice for information security con- zations’ support. trols based on ISO/IEC 27002 for cloud services.9 This standard builds on selected parts of the familiar ISO/IEC 27002 Code References of practice for information security management10 but adds 1. King, Douglas. (2015). Banking Bitcoin-Related Businesses: A additional cloud-specific recommendations and guidance. Primer for Managing BSA/AML Risks. Federal Reserve Bank of Atlanta. Retrieved November 19, 2015, from https://www. Although ITU-T X.1631 | ISO/IEC 27017 provides import- frbatlanta.org/-/media/Documents/rprf/rprf_pubs/2015/ ant recommendations and guidance, it contains no actual banking-Bitcoin-related-businesses.pdf. requirements. Conversely, the draft X9.125 standard hardens 2. Merkle, R. C. (1988). “A Digital Signature Based on a Con- the ISO, IEC, and ITU-T recommendations and guidance ventional Encryption Function.” Advances in Cryptology — into a set of specific information security management re- CRYPTO ‘87. Lecture Notes in Computer Science 293. p. 369. doi:10.1007/3-540-48184-2_32 ISBN 978-3-540-18796-7. quirements. Where ITU-T X.1631 | ISO/IEC 27017 relies on US Patent 4309569, Method of Providing Digital Signatures, clauses 5 through 18 of the ISO/IEC 27002 Code of Practice, Ralph C. Merkle, January 5, 1982. X9.125 defines requirements based on comparable clauses in 3. Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash the ISO/IEC 27001 Information security management systems System, Bitcoin.org, retrieved 31 October 2008, https://bit- – Requirements.11 coin.org/bitcoin.pdf. 4. ISC, Digital Signature Guidelines, Legal Infrastructure for Conclusions Certification Authorities and Secure Electronic Commerce, In- formation Security Committee (ISC), Electronic Commerce Blockchains, a decades old cryptographic technology, has and Information Technology Division, Section of Science become a creature of the Cloud. Its adoption and use carry and Technology, American Bar Association (ABA), ISBN many of the same security concerns as other cloud-based ap- 1-57073-250-7, August 1996. plications and services. But for blockchains to be trusted in 5. ISC, PKI Assessment Guideline (PAG), Information Security the current financial services regulatory environment, and Committee (ISC), Electronic Commerce Division, Section for it to be widely adopted, blockchain-based systems must of Science & Technology Law, American Bar Association (ABA), ISBN 1-57073-943-9, June 2001. comply with an organization’s existing security policy and 6. Patrick McCorry, Siamak F. Shahandashti, Dylan Clarke, practices. Many of the policies needed to manage blockchains Affiliated with School of Computing Science, Newcas- and other cloud-based deployments are the same as those tle UniversityFeng Hao, Authenticated Key Exchange over used to manage security risk within an organization. Organi- Bitcoin, Security Standardisation Research, Volume 9497, zations must continue to manage risk and fully exercise their Lecture Notes in Computer Science, pp 3-20, December 9, information security governance responsibilities regardless 2015 – retrieved November 8, 2015, from http://eprint.iacr. org/2015/308.pdf. of where their data and applications roam. Cloud subscribers need the ability to verify that their cloud service providers are 7. Douglas King, Retail Payments Risk Forum Working Paper, Federal Reserve Bank of Atlanta, October 2015. securing information in a compliant manner with established requirements. About the Authors ASC X9 is currently developing the X9.125 standard with the Phillip H. Griffin, CISM, has over 20 years option of the United States submitting the work to ISO for in- experience in the development of commer- ternational standardization. Once the cloud security require- cial, national, and international security ments have been completed, the corresponding compliance standards and cryptographic messaging pro- data might be encapsulated in a publicly available or privately tocols. Phil has a Master’s of Information provided blockchain. Cloud subscribers, internal or external Technology, Information Assurance and Se- auditors, regulators, or any independent third-party assessor curity degree, and he has been awarded nine should be able to validate the CSP by verifying its informa- US patents at the intersection of biometrics, radio frequency tion security blockchain. identification (RFID), and information security management. This article is also a call for participation. Cloud service pro- He may be reached at [email protected]. viders, cloud subscribers, or organizations that are interested Jeff Stapleton has been an ISSA member and in the development of the X9.125 standard are encouraged participated in X9 for over twenty years; he to contact the ASC X9 or the X9F4 work group chair. Par- has contributed to the development of over ticipation by any X9 member is welcomed. Once the X9.125 three dozen X9 and ISO security standards, standard is approved as a new ANSI standard, the possibility and has been the chair of the X9F4 work group of it being submitted to ISO as a USA offering is something for over 15 years. The X9F4 work group’s program of work includes the five-year review of two published standards (X9.73, X9.84) and 9 http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail. development of three new standards (X9.112, X9.122, X9.125) htm?csnumber=43757. in addition to supporting ISO standard efforts. He may be 10 http://www.iso.org/iso/catalogue_detail?csnumber=54533. reached at [email protected]. 11 https://en.wikipedia.org/wiki/ISO/IEC_27001:2013.

26 – ISSA Journal | January 2016 DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY Why Risk Management Is Hard By Luther Martin – ISSA member, Silicon Valley Chapter and Amy Vosters

Risk management is harder than we would like it to be because people do not think rationally. Our built-in irrational biases affect all of the decisions that we make, and this includes how we choose to manage risks. Fortunately, we now understand how our biases work, so we can account for them and avoid making some of the bad decisions that they might lead us to make.

Abstract Hoo.2 Unfortunately, the complexity of the models used to explain these biases often made them inaccessible to non-spe- Risk management is harder than we would like it to be be- cialists. cause people do not think rationally. Our built-in irrational biases affect all of the decisions that we make, and this in- A good model is hard to find cludes how we choose to manage risks. Fortunately, we now understand how our biases work, so we can account for them There is a popular theory that we prefer to use one side of our and avoid making some of the bad decisions that they might brain more than the other. If you prefer to use the right half lead us to make. Doing this can let us make an information of your brain, this theory tells us, you tend to be artistic and security strategy more effective, and one that gives the best creative, and if you prefer to use the left half of your brain, return on the investment made in implementing it. you tend to be precise and analytic. There are lots of both books and online quizzes that can help you tell which side of your brain you prefer and how to use nformation security fundamentally concerns managing this information to help you find jobs that are best suited to the risks associated with IT systems, and risk manage- your preferred way of thinking. ment fundamentally concerns making decisions under Iuncertainty. This is something that people generally do not But research using functional magnetic resonance imaging do well, and understanding both how and why our brains (fMRI) seems to support the idea that the left brain-right 3 seem to make this so hard can be useful. brain model actually has no basis in fact. This does not mean that the model is not useful, however. The left brain-right A part of psychology known as “prospect theory” provides a brain model may give us some useful insights into some as- good way to do this. It also explains the differences between pects of our personalities, even if it does not survive a careful how we should think about risk and how we really think about look by scientists. Apparently, finding a good balance be- risk. Understanding this can help provide the best value from tween scientific facts and a useful model is harder than we limited IT security budgets, so it should be interesting to any- might like it to be. one working in the IT security industry. For example – hot water freezes faster than cold water. Or The fact that even the most expert opinions, including those does it? of information security experts, are almost certainly biased has been known for many years: it was noted in 1995 by Bar- bara Guttman and Edward Roback1 and in 2000 by Kevin Soo 2 K. Soo Hoo, How much is enough? A risk management approach to computer security, Stanford, CA: Stanford University, 2000. 3 J. Nielsen, B. Zielinski, M. Ferguson, J. Lainhart and J. Anderson, “An Evaluation 1 B. Guttman and E. Roback, An Introduction to Computer Security: The NIST of the Left-Brain vs. Right-Brain Hypothesis with Resting State Functional Handbook, NIST Special Publication 800-12, October 1995. Connectivity Magnetic Resonance Imaging,” PLoS ONE, Vol. 8, No. 8, 2013.

January 2016 | ISSA Journal – 27 Why Risk Management Is Hard | Luther Martin and Amy Vosters

A cup filled with cold water at 0.01º C will probably freeze R = P x L = (0.1) x ($1 million) = $100,000 faster than the same cup of hot water at 99.99º C, and a small If you set the time period for the variables in this calculation drop of cold water will probably freeze faster than a gallon-jug to exactly one year so that P represents the probability of an full of hot water. So it is certainly the case that hot water does event happening in a one-year period, you get the ALE model. not always freeze faster than cold water. But it is true in some cases, and there are enough of these cases to make the prop- This may make perfect sense mathematically, but it does not erty interesting. reflect how our brains seem to understand risk. It is easy to create experiments that show that the expected value model In particular, if you use the tap in your kitchen sink to fill two does not always predict how we make choices. The most fa- ice cube trays—one with hot water and the other with cold mous example of this is probably the St. Petersburg paradox. water—and then put them into your freezer, you are in the realm of the interesting cases, and you will probably see the In the St. Petersburg paradox, we have a game in which the hot water freeze faster than the cold water. winnings are determined as follows (we assume that a player pays a fixed amount to play this game): The fact that hot water sometimes freezes faster than cold water is called the “Mpemba effect” after Erasto Mpemba, • We start with a $1 pot who brought it to the attention of the scientific community in • We then flip a fair coin until it comes up “heads,” and the 1963 while he was a high-school student in Tanzania.4 It turns amount that the player wins doubles after each flip of the out that stating the Mpemba effect in a way that is possible coin to verify experimentally is fairly tricky. You probably need • If “heads” comes up on the first flip, the player wins $2 something like this: there exists a set of physical parameters (which happens with probability 1/2) and a pair of temperatures such that given two samples of water identical in these parameters and differing only in their • If it comes up on the second flip, the player wins $4 initial uniform temperatures, the hotter of the two will freeze (which happens with probability 1/4) sooner. • If it comes up on the third flip, the player wins $8 If that is what it takes to carefully state the Mpemba effect, it (which happens with probability 1/8), etc. is easy to see why just saying that hot water freezes faster than • Players win the game if their winnings from the game is cold water is preferred by most people, even if it is not quite more than they paid to play it, and they lose if their win- accurate. nings are less than what they paid to play it Similarly, even though the left brain-right brain model may It turns out that the expected amount that a player will win not be not very accurate, it seems to explain enough of what from playing this game is infinite. We can see this by calcu- we experience to be useful. But it also seems reasonable to lating the expected value of what a player of this game will ask if there is a way to use what science tells us about how win as the sum of the gains from each outcome multiplied by our brains operate to create a better model—perhaps one that the probability of the respective outcome happening: lets us predict things that the left brain-right brain model E = (1/2)($2) + (1/4)($4) + (1/8)($8) + … does not. This is not too hard to do, although it does require a slightly more complicated model. And this model turns out = $1 + $1 + $1 + … to be particularly relevant to understanding how we under- So the expected value is indeed infinite. stand and manage risk. Even though this game promises a high average amount of The evolution of understanding risk winnings to its players, people are typically hesitant to pay much to play this game. It is hard to find someone willing The simplest and earliest model for understanding risk and to pay more than $25 to do this, even though a little math how we make decisions in the face of uncertainty was based tells us that they should expect to win a very large amount by on expected value calculations. This is exactly what we do in playing it.5 the annual loss expectancy model (ALE) that most informa- Researchers were puzzled by this apparent discrepancy for tion security professionals learn at some point. many years, but in 1738 mathematician David Bernoulli de- In this model we calculate the risk (R) to be the amount of a scribed a way to understand it that was based on replacing the loss (L) multiplied by the probability of the loss happening monetary gain in this game by “utility,” a more generalized (P). We often summarize this in the equation way to measure the benefit provided by something of value.6 R = P x L Utility includes all non-monetary ways in which we might value things. If we prefer a certain brand of car, for example, So, if we have an uncertain event that will happen with a that preference can be included in our utility for a car, even if probability of 10 percent (P = 0.1) and will cause a loss of $1 million when it happens (L = $1 million), this represents 5 I. Hacking, “Strange Expectations,” Philosophy of Science, Vol. 47, No. 4, pp.562-567, $100,000 of risk, which we calculate as 1980. 6 D. Bernoulli, “Specimen theoriae novae de mensura sortis,” Commentarii Academiae Petropolitanae, Vol. 5, No. 1730-1, pp. 175-192, 1738. Translated and reprinted as D. 4 E. Mpemba and D. Osborne, “Cool?” Physics Education, Vol. 4, No. 3, pp. 172–175, Bernoulli, “Exposition of a New Theory on the Measurement of Risk,Econometrica , 1969. Vol. 22, No. 1, pp. 23-36, 1954.

28 – ISSA Journal | January 2016 Why Risk Management Is Hard | Luther Martin and Amy Vosters the dollar value of the car does not reflect of expected utility as the average gain or can explain any behavior at all. But in this preference. Utility is an easy way to loss in utility from an uncertain event. 1953, Maurice Allais, winner of the 1988 account for all of our emotional and ir- Researchers also assumed that utility Nobel Prize in Economics, found exam- rational biases that affect how we make functions have a certain level of logical ples where expected utility theory could decisions. consistency. For example, if someone not explain the way people behave, no To explain the St. Petersburg paradox, preferred outcome A to outcome B, and matter how clever a utility function we 8 Bernoulli argued that although the mon- preferred outcome B to outcome C, then try to use. More precisely, if we use any etary gain from consecutive “heads” they would always prefer outcome A to function from expected utility theory to outcomes grew very quickly, the utility outcome C. explain the behavior that Allais noted, from them did not, which resulted in a Because a utility function can be arbi- finite level of utility from the game in- 8 M. Allais, “Le comportement de l’homme rationnel trarily vague, it might seem reasonable devant le risque: critique des postulats et axiomes de stead of an infinite one. His argument to believe that the expected utility model l’école Américaine,” Econometrica, Vol. 21, No. 4, pp. was roughly that the utility that you get 503–546, 1953. from an additional dollar depends on how much money you currently have— in particular, it decreases as the amount of wealth you have increases. If you have no money at all, an additional $100 is very valuable to you—it can be the difference between starving and not starving. But if you have $1 million, an additional $100 is probably not as valuable to you. From this point of view, the utility of larger and larger gains that a Exclusive ISSA player could win in the St Petersburg member discount on paradox game might not increase as ® quickly as the dollar value of the gains RSA Conference 2016 themselves, and this could easily reduce Join the ISSA community at RSA Conference 2016 in the infinite expected value of the game to San Francisco, February 29-March 4. Connect with the people and information you need to address the latest a finite one. threats, vulnerabilities and security challenges. Researchers eventually generalized this RSA Conference will also feature: 7 idea to the expected utility model. In • More than 500 exhibitors in two halls with this model, a decision-maker uses an ex- NEW expanded hours! pected utility to make a decision, where • Over 400 sessions. NEW! Sessions will be spread the expected utility is the weighted sum out over the full day so you can attend more! of the probabilities of outcomes (denoted • NEW content and programs such as Birds of a P) and some complicated utility function Feather Breakfasts, Focus-On Series, additional (denoted u) that tells us the utility asso- Learning Labs and much more! ciated with the corresponding outcomes.

This utility function can represent any Follow us on: factors that might make one outcome #RSAC preferable to another. It might include Association sponsor financial information, like the dollar value of a loss or gain, but it can also include other information, like which color or brand a person might prefer—things Diamond sponsor Platinum sponsor that are better modeled by utility than by a purely financial measure. And just like we might think of the expected value to be the average monetary gain or loss from an uncertain event, we can think

Go to www.rsaconference.com/issa to register today! 7 J. Von Neumann and O. Morgenstern, Theory of Games Use code 16UISSAFCD when you register to save $175 off a Full Conference Pass! and Economic Behavior, Princeton University Press, 1944.

January 2016 | ISSA Journal – 29 Why Risk Management Is Hard | Luther Martin and Amy Vosters

we will always end up with an inconsistent result—the so- the cases where expected utility theory failed to do so, it called Allais paradox. seems like a very useful model. The Allais paradox is no lon- The Allais paradox seemed to indicate that finding a theory ger a paradox if we can explain it using prospect theory, for that explained how we make decisions under uncertainty was example. going to be harder than we might have hoped. The fact that This is getting dangerously close to the sort of broad and al- it, and many other examples, seemed to conclusively show most-accurate generalization that we make when we say that that the expected utility model hot water freezes faster than cold water, but one of the big did not adequately explain how ideas that made prospect theory more than just a generaliza- Thinking carefully people actually make decisions tion of expected utility theory was that it turned out to have a led economists Mathew Rabin basis in how our brains operate. In particular, the interaction is hard work…our and Richard Thaler to recall of two different types of thought processes seems to provide a brains are not fond of the “dead parrot” sketch from good basis for what prospect theory describes. precise thinking. Monty Python’s Flying Circus One of these processes is fast and intuitive. This type of think- when they noted that “it is time ing was popularized by Malcolm Gladwell’s book Blink.12 The for economists to recognize that other is slow and deliberate. The differences between the two expected utility is an ex-hypoth- ways of thinking were popularized by Daniel Kahneman’s 9 esis.” The logical consistency required by the expected utility book Thinking Fast and Slow.13 The fast and intuitive way of model seemed to make sense, but it ended up being a fatal thinking is attributed to the brain’s notional System 1, and flaw. the slow and deliberate way of thinking is attributed to the The 1979 work of Daniel Kahneman and Amos Tversky even- brain’s notional System 2. And although the connections in tually provided a way to make sense of the shortcomings in our brains are almost certainly more complicated that what expected utility theory. This insight was so important that can be easily described by a simple two-system model, fMRI Kahneman shared the 2002 Nobel Prize in Economics for the scans of the brain seem to suggest that our brains do function work that he did with Tversky in this area. (Tversky had un- this way, at least at a high level.14 fortunately died by the time the significance of this work was It is easy to tell when our brains engage System 2: our pu- recognized.) Their research led to the development of pros- pils dilate and our heart rate increases.15 Thinking carefully 10 pect theory, which finally seemed to provide a good frame- is hard work. Because it is hard, our brains are not fond of the work for understanding the puzzling aspects of how we make precise thinking that System 2 does, so we tend to just use 11 decisions in the face of uncertainty. (Kahneman has said the fast yet inaccurate System 1 whenever possible. And this that the term “prospect theory” was chosen to be intention- includes many situations where System 1 tends to give us the ally vague, so it should not be surprising if it does not easily wrong answer. suggest what the theory actually describes.) This can be illustrated by the so-called Moses illusion: when Prospect theory asked “How many animals of each kind did Moses take onto the ark?” most people do not notice that it is a trick question Kahneman and Tversky noticed that the results of many dif- designed to take advantage of the way our brains operate.16 ferent experiments showed the same general patterns: people Moses took no animals onto the ark—Noah did. But because think in terms of a gain or loss relative to their current state both Moses and Noah are biblical characters, the question instead of the absolute magnitude of the gain or loss; people passes the limited level of plausibility checking that System 1 discount larger gains, much like Bernoulli’s model suggested; does, and most people give the wrong answer. and people tend to be averse to losses. Similarly, most people incorrectly answer the bat-and-ball To model these observations, prospect theory assumes that problem: a ball and bat together cost $1.10, the bat costs $1 people make decisions based on two generalized functions: more than the ball, how much does the ball cost? Even peo- a weighting function p that generalizes the probability func- ple who are very proficient at algebra often give the incorrect tion P from expected utility theory and a value function v answer of $0.10.17 (The correct answer is that the ball costs that generalizes the utility function u from expected utility $0.05.) But because this incorrect answer passes the limit- theory. And while expected utility theory required a certain ed plausibility checking that System 1 does (it “looks” right, level of logical consistency across the utilities assigned to out- doesn’t it?), most people are unwilling to expend the addi- comes, prospect theory relaxed this requirement. This seems to make prospect theory a very reasonable next 12 M. Gladwell, Blink: The Power of Thinking without Thinking, Back Bay Books, 2007. step past expected utility theory. And because it can explain 13 D. Kahneman, Thinking Fast and Slow, Farrar, Straus and Giroux, 2012. 14 V. Goel and R. Dolan, “Explaining modulation of reasoning by belief,” Cognition, 9 M. Rabin and R. Thaler, “Anomalies: Risk Aversion,”Journal of Economic Vol. 87, No. 1, pp. B11–B22, 2003. Perspectives, Vol. 15, No. 1, pp. 219-232, 2001. 15 D. Khaneman, Attention and Effort, Prentice-Hall, 1973. 10 D. Kahneman and A. Tversky, “Prospect Theory: An Analysis of Decision under 16 T. Erickson and M. Mattson, “From words to meaning: A semantic illusion,” Journal Risk,” Econometrica, Vol. 47, No. 2, pp. 263-291, 1979. of Verbal Learning and Verbal Behavior, Vol. 20, No, 5, pp. 540–551, 1981. 11 http://www.nobelprize.org/nobel_prizes/economic-sciences/laureates/2002/ 17 S. Frederick, “Cognitive Reflection and Decision Making,”Journal of Economic kahneman-bio.html. Perspectives, Vol. 19, No. 4, pp. 25-42, 2005.

30 – ISSA Journal | January 2016 Why Risk Management Is Hard | Luther Martin and Amy Vosters tional effort that engaging the careful and analytic System 2 precise and analytic metric. If you prefer a red car, you should requires, even though it is typically needed to find the correct feel free to buy a red car, even if it costs more than an identical answer. blue model. But when we are making decisions about how to The fast but inaccurate System 1 seems to significantly affect make investments in information security technologies, we how we make decisions under uncertainty. This influence is need to be more careful. These types of decisions need to be shown in figure 1. In the absence of any input from System as precise and analytic as possible. 1, we should expect our precise and analytic System 2 to put We need to ensure that we are making the best possible in- the same emotional value on an outcome v(x) as the absolute vestments if we want to get the best possible advantage from monetary value x of the outcome. This is shown by the dashed our limited information security budgets. And we need to line in figure 1. As prospect theory suggests, the zero point for ensure that we are getting the best possible advantage from value in this graph represents the reference point from which the overall investment in information security, because the we measure gains and losses from, not the absolute quantity same funding might be put to a better use in another part of of interest. a business. If we were perfectly rational, there would be no difference But these are also the very types of decisions that our brains between the way that we make decisions, both with account- do not handle well. Research has even suggested that our ing for any irrational biases and without accounting for any initial emotional response is often different than what we irrational biases, and the dashed line in figure 1 shows how would decide after a careful and thoughtful review of all of this situation would look, where the value v(x) of an outcome the facts.18 So, although falling prey to the quirks of how our exactly matches the purely monetary value x of the outcome. brains work is very easy to do and very hard to avoid, it is But because we do not think perfectly rationally, we deviate definitely worth trying to avoid. from this ideal scenario, and we deviate from it in differ- Even though it seems that our brains do not use an expected ent ways for gains than for losses. For gains (the part of the value calculation to assign relative values to uncertain out- graph to the right of the O point), the lower values that we comes, this is the best possible way to compare investments give to larger and larger gains reflect the diminishing utility in information security technologies, where we are more con- that Bernoulli used to explain the St. Petersburg paradox. For cerned with maximizing the return on the investments in- losses (the part of the graph to the left of the O point), the even stead of doing things that we would like or prefer to do. This lower values reflect the fact that we seem to be hard-wired to means that we need to make an effort to carefully gather data be averse to losses, something that was probably very useful that is as accurate as possible and to use that data in mod- for ensuring our survival in ancient times. els that are as accurate as possible to get the best decision on what investments to make. For a security-relevant application of how the biases described by prospect theory can affect the decisions that we make, consider the 2000 Stanford doctoral dissertation of Kevin Soo Hoo,19 in which he did a careful cost-benefit analysis of many information security technologies. His results were somewhat surprising: some technologies that are widely used seem to be hard to justify, while other technologies that are not widely used seem to be easy to justify. And while no one has taken the time and effort to argue that Soo Hoo’s results are inaccurate or incorrect, they are widely ignored by the information security community. Perhaps prospect theory can explain this behavior. First, Soo Hoo’s work involved analyzing data and building mathematical models from it. This is clearly the sort of material that requires us to use our System 2 thinking to understand, and that is something that we generally do not want to do. Because of this, we should not find it surprising that very few people have spent the time and effort needed to understand these models. Figure 1 – Value v(x) vs. monetary gain or loss x according to prospect And consider what might happen if we were to do what Soo theory Hoo’s analysis suggests. In one case, we could adopt new Why this matters 18 M. Bazerman, A. Tenbrunsel and K. Wade-Benzoni, “A behavioral decision theory perspective to environmental decision making,” in D. Messick ad A. Tenbrunsel Individuals should feel free to make decisions that only affect (eds.), Ethical Issues in Managerial Decision Making, Russel Sage, 1998. them based upon their personal preferences instead of on a 19 K. Soo Hoo, ibid.

January 2016 | ISSA Journal – 31 Why Risk Management Is Hard | Luther Martin and Amy Vosters technologies that are not currently used. In this case, there 14 months for this project. But if the wider interval is a more are possible gains from using these additional technologies. accurate reflection of reality, we will often see the narrower But we are inclined to discount these potential gains, perhaps estimate turn out to be wrong. A project that ends up taking valuing a $3 million savings as if it was only a $2 million sav- 16 months is in the range of expected values for the wider in- ings, possibly making the new technologies seem less appeal- terval, but not for the smaller one. So an inaccurate estimate ing than they should. for how long the project should take can make the difference In the other case, we could discontinue the use of the tech- between an apparent success and an apparent failure. nologies that may not be worth using because they cost more Overconfidence can be a particularly insidious problem be- than the benefits that they provide. If we did this, it is possible cause the people who are affected the most by it are also the that hackers could take advantage of the reduced defenses. In same people who are the most unaware that it is a problem for fact this is almost certain to happen, but Soo Hoo’s analysis them. This was noted by Justin Kruger and David Dunning tells us that the cost of the additional damage caused by this is in 1999,20 although people probably suspected that this was probably less than the cost of using the discontinued technol- the case for hundreds of years before its first careful descrip- ogies. But because we are strongly averse to losses, it should tion: people who do not know what they do not know are often not be surprising that we are inclined to not follow this par- trouble. ticular recommendation. Summary So, even if Soo Hoo’s results are correct, we should not be surprised that they have not been generally read, understood, Prospect theory is a logical next step in the evolution of how or acted upon by the information security industry. In fact, we understand decision making under uncertainty, but it is we should expect the opposite—that they would have gener- also clearly inadequate in some ways. It assumes that people ally not been read, understood, or acted on—which is indeed make decisions based on the short-term emotional impact what we have seen. of decisions instead of on potential long-term implications of the decisions. And it does not account for how the very Understanding the limitations imposed by how we think can real emotions of disappointment and regret affect our deci- have many other benefits. The book, Judgment in Manageri- sion-making. Theories that model these additional factors al Decision Making, by Max Bazerman and Don Moore pro- are both more complicated than prospect theory and do not vides a good overview of the cognitive errors that people tend yet offer any significant advantages over prospect theory. Be- to make as well as ways to prevent them. One of the most cause of this, prospect theory has become the leading model significant of these is overconfidence, which the authors call for explaining decision-making under uncertainty, but it is “the mother of all biases,” and it often causes IT projects to certainly possible that it will be replaced by a different model fail. in the future. Most software projects fail in some way, and information Until then, it provides a good way to understand many of the security projects are no exception to this general rule. The errors that we will tend to make. We are not as smart as we Standish Group, a specialized IT consultancy, has tracked would like to be, but if we are careful, we can be smart enough how successful software projects are since their founding in to avoid the problems that our brains can cause us. 1985. Since 1995 they have published their annual CHAOS Report that tracks how successful software projects are and It is fairly common to hear that to be successful in the in- what factors contribute to the failure of unsuccessful proj- formation security industry, you need to understand how ects. The Standish Group has consistently found that software your adversaries think. Perhaps it is equally important to projects typically end up challenged in some way: they end up understand how people think. When we do that, we can do taking longer than anticipated, costing more than budgeted, a reasonable job of avoiding our built-in biases and allocate or delivering fewer capabilities than originally planned. Un- resources in ways that create the best possible information realistic expectations are often a contributing factor to failed security solutions. projects, and this can often be explained by the cognitive bias of overprecision, one way in which overconfidence is mani- About the Authors fested. Luther Martin is a Distin- Overprecision is the tendency to be overly sure that our judg- guished Technologist at Hew- ments are accurate. We tend to not test our assumptions and lett Packard Enterprise. You dismiss evidence that suggests that we might be wrong. As a can reach him at luther.mar- result, we tend to estimate overly narrow confidence intervals [email protected]. for the cost and schedule of projects, for example. Amy Vosters is a marketing Instead of estimating that a project might take 12 months, manager at SOASTA. You can reach her at amy_vosters@ya- with a 90 percent chance of it being completed in the range of hoo.com. 6 to 18 months, we might make a much more precise estimate 20 J. Kruger and D. Dunning, “Unskilled and Unaware of It: How Difficulties in that is not very realistic, perhaps estimating a range of 10 to Recognizing One’s Own Incompetence Lead to Inflated Self-Assessments,” Journal of Personality and Psychology, Vol. 77, No. 6, pp. 1121-1134, 1999.

32 – ISSA Journal | January 2016 DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY

Securing the Cloud By Barettè Mort – ISSA member, North Texas Chapter

This article discusses cloud environments and focuses on security issues in the areas of availability, privacy, and reliability.

Abstract Research was performed to identify security risks and vulnerabilities of cloud computing. This article will discuss cloud environments and focus on security issues in the areas of availability, privacy, and reliability. Al- though the challenges of cloud computing are under- scored by the ongoing rapid advancement of technology, the community is encouraged to plan proper layers of defense and continually seek prospective solutions and opportunities.

Figure 1 – Service model functionality loud computing has numerous advantages: the ability to store and access data from any location or of components such as hardware, network, and operating device; and the ability to run applications, work re- systems. The vendor possesses ultimate control over the in- Cmotely, backup data, store photos, share files, perform data frastructure and the user has capabilities such as managing analytics, and more over the Internet. However, it inherits storage, performing backups, or deploying virtual machines many of the Internet’s weaknesses and vulnerabilities. (VMs). At the IaaS level, the user also assumes all security responsibilities. With PaaS the vendor provides platform ser- Cloud computing is defined by National Institute of Stan- vices that rest on top of IaaS and offers capabilities such as dards and Technology (NIST) 800-145 as a model for en- databases, web servers, runtime environments, and software abling ubiquitous, convenient, on-demand network access to applications. The user has the ability to utilize these capabil- a shared pool of configurable computing resources that can ities for various offers such as developing software, source be rapidly provisioned and released with minimal manage- control, and database design. In this environment the system 1 ment effort or service provider interaction. NIST 800-145 tools are usually provided, maintained, and supported by the also highlights the key characteristics of what distinguishes PaaS vendor. SaaS provides the user with tools such as games, cloud computing from the traditional information technol- email, and virtual desktops. SaaS users will have no control ogy (IT) networked environment. These characteristics in- over the infrastructure or the application platform and will clude on-demand self service, broad network access, resource access this service via the Internet [17]. There are networks pooling, rapid elasticity, and measured service. Additional connecting these service models, and depending on how a benefits of cloud computing that require less financial com- specific user is accessing the layers, they can be supporting, mitment from consumers are its scalability and flexibility. consuming, or providing services. A visual description and Layers of the cloud support and deliver different services. additional examples of the functions of each service model These layers, referred to as service models, are known as are shown in figure 1 [15]. Infrastructure-as-a-Service (IaaS), Platform-as-a-Service Cloud architectures are made available via public, private, (PaaS), and Software-as-a-Service (SaaS) [18]. IaaS consists community, and hybrid deployment models [18]. Anyone with a network connection can access a public cloud. Private 1 The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/– clouds are restricted to a certain set of users and are usual- nistpubs/800-145/SP800-145.pdf.

January 2016 | ISSA Journal – 33 Securing the Cloud | Barettè Mort ly functioning for a single organization. Community clouds Both internal and external threats to IT networks are on the consist of a group of organizations which all work together rise. According to Verizon’s 2015 Data Breach Investigations to achieve a common goal. They are all owners; therefore, el- Report, of the companies surveyed, in 38 percent of cases it ements of the cloud are agreed upon by all in the community took attackers seconds to compromise a system, and in 28 per- before being defined or implemented as a part of the struc- cent of cases it took attackers minutes to extract data [3]. The ture. Hybrid clouds can be a mixture of any of the available vulnerabilities that exist to allow this type of compromise are cloud deployment models. very common on a LAN or WAN, and are just as common The termCloud is a good, yet simple way to describe the huge in the cloud. The difference is that what is boasted as a ben- presence and impact it has. The concerns and challenges are efit of cloud computing can also assist in the expansion of ongoing in an effort to define an environment that is not fully an exploited vulnerability. Take for example, operating sys- formed or trusted. The major security risks of cloud comput- tem vulnerabilities; they are usually published on websites ing are availability, privacy, and reliability. of the applicable operating system or highlighted on “dark” websites. For nearly every known operating system, there are Availability concerns multiple known vulnerabilities. An operating system vulnerability exploited in a cloud computing environment could Data must be readily available when a user attempts access. have a severe impact. This protection of data and system functionality covers a va- riety of potentially exploitable areas, for example physical lo- Data, when requested must be accessed and possibly passed cation, physical access, and logical access. to a service for processing before being delivered. At the IaaS and PaaS levels, data location is a common cause for concern. The IaaS layer infrastructure and related data are possibly There are laws and regulatory compliance requirements that located in locations unknown to the user, and availability may restrict where data is stored. This also applies to back- may be ultimately dependent on the vendor. The user relies ups and archives. All data accessed at these levels may not be on the vendor to keep the systems operating. To ensure that within the same state or country. Disregarding such regula- physical and logical access is safeguarded, the system must tions will usually result in fines and penalties. be protected from both intentional and unintentional misuse. To prevent malicious insider threats, highly qualified person- At the SaaS layer, the average user can conveniently interact nel with trusted background checks will be responsible for but also attackers can exploit weaknesses to obtain confi- configuring and maintaining the network and its services [1]. dential, sensitive, secret, and personal information. Loss of The personnel who guard and have access to the facility must data can result from a malicious attack, insider threat, or an also be verified. Personnel have access to both the physical accidental deletion. A huge benefit of the cloud for a user is and logical components and are familiar with the environ- the ability to store and backup data. However, when users do ment; therefore, continuous verification of personnel allows a not adhere to proper backup practices, accidental deletion vendor to maintain trustworthy and knowledgeable people as can cause them to lose their data. Security flaws within the well as assist in keeping them honest. client environment that can also expose the system to ex- ploitation can result in a malicious attack. Weak passwords, The probability of natural disasters, elements of nature, in- phishing scams, and malicious code can put data in danger of sider threats, and system power failures affecting operations being loss, stolen, or inaccessible. Users would benefit from have to be considered. The data centers where information suggestions of NIST publications, which call for the use of is stored must be physically sound, and supporting materi- varied multi-factor authentication methods—Something you als must be carefully planned when being constructed or re- know, Something you have, and Something you are—with mit- modeled to protect against attacks that are both human and igation suggestions for each factor [4]. Insider threat actions nature related [9]. Hardware at the IaaS level may be the most can result in compromise or destruction of information or tangible component and as such falls under the same protec- disruption of services. The best counters to insider threat tion levels of all physical resources. Loss of data or failure of a are security, education, training, and awareness (SETA) and system is a great possibility. continuous monitoring tools implemented on sound security policies and procedures. Easy and Privacy concerns Convenient! Data must be protected at all times: at rest, in transit, and during processing. In a properly designed system, data expects to be received in an encrypted format, processed in a www.issa.org/store protected environment, and encrypted again before being returned or pushed forward. The challenges presented here Computer Bags • Short-Sleeve Shirt • Long-Sleeve include system performance as a result of encrypted data, the Shirt • Padfolio • Travel Mug • Baseball Cap • Fleece inability to encrypt data that is being processed, and isolation Blanket • Proud Member Ribbon • Sticky Note Pads failures.

34 – ISSA Journal | January 2016 Securing the Cloud | Barettè Mort

System performance typically suffers when proper encryption, system hardening, and multilayers of security are part of the security approach. This affects the performance across all service models—IaaS, PaaS, and SaaS. This trade off is to be expected, but many vendors may overlook this in exchange for better performance rates. If users cannot speedily access data they may resist using the service. Data at the IaaS level can be encrypted in both “at rest” and “in transit” states [5]. Data Figure 2 – IBM, hypervisor differences cannot be processed in an encrypted format. At the PaaS and SaaS levels unencrypted or [12]. System reliability demonstrates that dependable system poorly encrypted data leave a system with multiple points of techniques are exercised. These techniques ensure a function- fragility. Data at both the SaaS and PaaS level remain unen- ing system and an associated system status. Many traditional crypted because encrypted data would prevent functionality IT methods are buried in the cloud environment. Ensuring such as indexing, searching, and mathematical operations that known and authorized devices and users are connected [5]. Client data at the SaaS level are more vulnerable to com- to the network in a cloud setting assists with maintaining the promise and are subjected to malicious attacks. reliability of a system by allowing support for auditing and The IaaS, PaaS, and SaaS environments are where the distinc- monitoring. In performing these tasks, not only is the system tion of tenants, users, and organizations is made by specifying aware of who or what is connected and whether or not it is space to allow for multi-tenancy, allowing multiple tenants to allowed but also who or what is not allowed as well as the share the same resource. Isolation failure becomes a problem means of entry [11]. when one or more of the tenants has access to the resources of At the IaaS level, layered network security is required both another tenant. This could be in the form of processing power externally and internally, which includes firewalls, pack- or accessing data. Virtual machines (VM) are a valuable asset et inspections, monitoring, and auditing. The external net- when trying to avoid isolation failure. Each instance of a VM work environment will require a demilitarized zone (DMZ) creates a separate environment for each tenant. Proper sys- and access to virtual private networks (VPNs) for personnel tem configurations and settings on hardened machines are connecting from outside locations. The internal network will needed to avoid isolation failure. Virtualization creates cop- house an intrusion detection system (IDS) and an intrusion ies of a configured system. When a VM is configured improp- protection system (IPS) for monitoring the networks. Con- erly, inadequately hardened, or contains out-of-date patches, tinuous efforts to prevent attacks will require test teams to the vulnerabilities can increase significantly. be established for vulnerability and penetration testing of all Using the PaaS model as an example, virtual machine envi- service levels. The system monitors network traffic, usage of ronments (VME) are instituted in combination with data; the system resources, management of the system, as well as when resources are utilized, the possibility of data recovery management of security and availability. The configuration may be presented through memory and storage resources. management component of a cloud environment must be in- Some server disks may be reused or recycled, but if not san- troduced with processes and certainty to verify what makes itized properly, they may contain residual data[10]. Digital and defines a system is documented, reproducible, and com- Ocean Cloud, a New York-based cloud infrastructure pro- parable to an audit log or a system image. vider, found that scrubbing hard drives after a VM instance There are, however, vulnerabilities of cloud computing at the cause performance degradation. After this finding the com- service levels that are unique to the cloud. When multiple op- pany stopped the procedure of scrubbing the user data from erating systems run on a host computer that has VM capabili- its hard drives after users deleted a VM instance. What Digi- ties, a virtualization management tool known as a hypervisor tal Ocean found was that other users could potentially access is used. There are two types of hypervisors, native and hosted. data on the “un-scrubbed” drive [14]. The scrubbing process Depending on which type the vendor users, the hypervisor is difficult and tedious to perform in a cloud computing envi- may sit between the hardware and the VM, or it may sit be- ronment, but it does securely remove residual data. tween the operating system and the VM. Type 1 hypervisor shown in figure 2 [13] is the native hypervisor. It resides di- Reliability concerns rectly above the hardware components and is responsible for Cloud security is dependent on data integrity and system re- providing virtual memory and CPU scheduling policies [8]. liability. Data integrity practices ensure that no unauthorized Type 2 hypervisor is the hosted hypervisor. It resides directly changes have been made to the data. With IaaS the vendor is above the operating system. responsible for data integrity, whereas in PaaS and SaaS both Hyper-jacking is a weakness introduced to the operating sys- the vendor and the users are responsible for data integrity tem by an attacker via a rouge hypervisor. It is an opportunity

January 2016 | ISSA Journal – 35 Securing the Cloud | Barettè Mort for an attacker to take advantage of the hardware and the VM. the consumer will not have a choice outside of the current When a rouge hypervisor is introduced on an operating sys- vendor as these components will not be able to communicate tem, it usually cannot be detected because it runs under the with components of another vendor. operating system and in a very stealth-like manner to com- Portability addresses the possibility or ability of moving code promise the server. Virtualization can capitalize on these op- or data between vendors without having to accomplish a re- portunities in that each time a new environment instance is write of existing code or reformat of data. Portability con- created, the creation of the same weaknesses for the operating cerns are present in both IaaS and PaaS but are more prev- system within the environment are created. Virtualization is alent in PaaS due to the varying services offered across PaaS subject to stasis, which means VMEs that are pre-configured vendors. Standardization of portability and interoperability exactly like all of the other VMEs are susceptible to attack will lessen the occurrences of vendor lock. Consumers will regardless if they are exploited or not. “Technologies such as benefit from the standards as it will provide alternatives for virtualization mean that network traffic occurs on both real cloud vendors. Industry will benefit from the regulations as it and virtual networks… Such issues constitute a control chal- will be able to better identify security goals and strategies as lenge because tried and tested network-level security controls well as encourage innovation. might not work in a given cloud environment” [10]. Evaluating the trade off of protecting the data versus thecost Precariously configured web services or less-than-strict ap- of protecting the data introduces risk management. Using plication development at the IaaS and PaaS level have the the NIST Risk Management Framework [7] as the basis for ability to compromise data integrity and system reliability, a risk management plan, coupled with business processes, particularly in the area of application programming inter- regulatory legal and compliance requirements, will allow a faces (APIs), which are developed for integration of cloud continuous evaluation of the cloud security life cycle (figure components. There are numerous types of APIs for operating 3). A continuous evaluation allows the risk management plan systems, applications, websites, and software solutions. There to adapt and grow as technology expands while ensuring that a several concerns surrounding APIs: vulnerabilities in the security is evaluated. system calls, data connections, and data queries, if present, can cause data to be modified. The user at the SaaS level has little or no control over the infrastructure but is responsible for some security of the system. Multi-factor authentication as defined by NIST Elec- tronic Authentication Guideline [4] should be used to prevent client-side threats in a private cloud. Standards to be applied The need for well-defined standards remains a necessity for systems and data within the cloud computing environment. Cloud computing standards for security haven’t been created [16]. The lack of standards for providers creates a more unsta- ble environment for systems, data, security, and users. NIST calls for the standardization of interoperability, portability, security, performance, and accessibility [15]. The Cloud Stan- dards Customer Council [6] recognizes the need for interoperability and portability. Figure 3 – NIST Risk Management Framework NIST indicates that standardization of interoperability al- NIST is an organization valued for the measurements, tech- lows for the discovery of key interoperability requirements nology, standards, and procedures that are needed to ensure and features [15]. Interoperability is the ability of different that the United States continues to advance and stay compet- systems to interact and communicate in a common manner. itive in the fields of technology and industry. “Categorize” The service, application, or system may access data or services allows for the identification, process, storage, and transmittal differently but they will not impede the operations of other of the system or data. “Select” focuses on capturing an initial services, applications, or systems. Interoperability challenges set of baseline security controls based on how the system or affect all service models; however, SaaS is most impacted as systems have been grouped. “Implement” expects the secu- there are only a small number of APIs for SaaS applications. rity controls to be in place with supporting documentation Standardization of this practice would allow a customer to of how the controls were placed. “Assess” looks at the system swap vendors with little effect to its service, application, or with respect to the controls to determine if the procedures system [6]. Take, for example, APIs; they may be custom de- put in place are affective and producing expected results. veloped for a specific vendor environment and interact with “Authorize” establishes whether the risks within the system explicit components. If these components are not standard, are satisfactory or unacceptable. “Monitor” maintains securi-

36 – ISSA Journal | January 2016 ISSA Membership Application Return completed form with payment. * Required Entries

* Name ______Certifications ______* Employer ______* Email ______Job Title ______* Preferred phone number for receiving calls: (choose one) * Preferred address for receiving mailing (choose one): n Home n Professional n Home n Mobile n Professional * Address 1 ______* Phone ______Address 2 ______Fax ______* City ______State/Province ______* Country ______* Zip/Postal Code ______

In order to obtain personal information and account access over the phone, ISSA Member services will ask your provided security question. * Security Question: ______* Security Answer: ______* Only Online Journal: n Yes n No Annual general membership dues of $95 per year include $28 for a one-year subscription to the ISSA Journal.

ISSA Privacy Statement: The ISSA privacy statement is included in the Organization Manual, and is provided for your review at www.issa.org/?PrivacyNotice.

To enable us to better serve your needs, please complete the following information: Membership Fees (Select only ONE number from below and enter here) ______Your Industry ______Membership Categories (descriptions on back) A. Advertising/Marketing J. Engineering/Construction/Architecture S. Manufacturing/Chemical B. Aerospace K. Financial/Banking/Accounting T. Medicine/Healthcare/Pharm. General Membership: $95 (USD) plus chapter dues C. Communications L. Government/Military U. Real Estate 2-Year: $185 (USD); 3-Year: $275 (USD); 5-Year: $440 (USD) D. Computer Services M. Hospitality/Entertainment/Travel V. Retail/Wholesale/Distribution E. Security N. Information Technologies W. Transportation/Automobiles Government Organizational: $90 (USD) plus chapter dues F. Consulting O. Insurance X. Energy/Utility/Gas/Electric/Water Student Membership: $30 (USD) plus chapter dues G. Education P. Internet/ISP/Web H. Computer Tech-hard/software Q. Media/Publishing Y. Other ______CISO Executive Membership: $995 (USD) plus chapter dues I. Electronics R. Legal Your Primary Job Title (Select only ONE number from below and enter here) ______*Membership Category ______1. Corporate Manager/CIO/CSO/CISO 9. Operations Manager 17. Engineer (See above) 2. IS Manager/Director 10. Operations Specialist 18. Auditor *Chapter(s) ______3. Database Manager, DBA 11. LAN/Network Manager 19. President/Owner/Partner (Required within 50 miles of local chapter - list on reverse) 4. Database Specialist, Data Administrator 12. LAN/Network Specialist 21. Financial Manager 5. Application Manager 13. Security Specialist 22. Administrator Referring Member & Chapter ______6. Applications Specialist 14. Contingency Planner 23. Educator ISSA Member Dues (on reverse) $ ______7. Systems/Tech Support Manager 15. Sales/Marketing Specialist 24. Other______8. Systems Programmer/Tech Support 16. Independent Consultant Chapter Dues x Years of Membership $ ______Your Areas of Expertise (List all that apply) ______(on reverse) A. Security Mgmt Practices E. Security Architecture I. Operations Security Additional Chapter Dues $ ______B. Business Continuity/Disaster Recovery F. Applications/Systems Development J. Physical Security (if joining multiple chapters - optional) C Network Security G. Law/Investigations/Ethics K. Telecommunications Security D. Access Control Systems/Methods H. Encryption L. Computer Forensics Total Membership Dues $ ______ISSA Foundation Donation $ ______ISSA Code of Ethics A tax-deductible contribution, as allowed by US tax code, can be The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that made in addition to your ISSA Membership Payment. For more infor- www.ISSAEF.org mation on the foundation and its programs, visit www.issaef.org. will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA Total (dues + ISSA Foundation) $ ______has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I have in the past and will in the future: Print out and mail or fax form to: • Perform all professional activities and duties in accordance with all applicable laws and the highest ISSA Headquarters ethical principles; 12100 Sunset Hills Road, Suite 130, Reston, VA 20190 • Promote generally accepted information security current best practices and standards; Fax +1 (703) 435-4390 • Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the Phone +1 (866) 349-5818 • www.issa.org course of professional activities; • Discharge professional responsibilities with diligence and honesty; • Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; and You may fill out the form and submit it electronically as an email • Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or attachment. You will need an email account to send it. employers. Submit by EMAIL to: [email protected] Signature ______Date ______ISSA Member Application 01/15 Risk Radar: Real-World Rogue AV | Ken Dunham Membership Categories and Annual Dues Please check the following: Where would you place yourself in your career lifecycle? General Membership: $95 (USD) plus chapter dues n Executive: CISO, senior scientist, principal or highest level in respective field Professionals who have as their primary responsibility information systems security in the private n Senior: department manager or 7+ years in respective field or public sector, or professionals who supply information systems security consulting services to n Mid-Career: 5-7 years with an identified field of security specialty the private or public sector; or IS Auditors, or IS professionals who have as one of their primary n Entry Level: 1-5 years, generalist responsibilities information systems security in the private or public sector; Educators, attorneys n Pre-Professional: Student or newcomer exploring the field and law enforcement officers having a vested interest in information security; or Professionals with primary responsibility for marketing or supplying security equipment or products. Multi-year mem- The most important aspects of my membership for the current membership berships for General Members, are as follows (plus chapter dues each year): 2-Year: $185; 3-Year: term are: $275; 5-Year: $440. n Build or maintain professional relationships with peers n Keep up on developments and solutions in cybersecurity, risk or privacy Government Organizational: $90 (USD) plus chapter dues n Establish a professional development strategy to achieve my individual career goals This membership offers government agencies the opportunity to purchase membership for an em- n Increase my personal visibility and stature within the profession ployee. This membership category belongs to the employer and can be transferred as reassign- n Share my knowledge and expertise to advance the field ments occur. When an employee is assigned to this membership, he or she has all of the rights and n Develop the next generation of cybersecurity professionals privileges of a General Member. n Earn CPEs/CPUs to maintain certifications or credentials Student Membership: $30 (USD) plus chapter dues n Access to products, resources and learning opportunities to enhance job performance Student members are full-time students in an accredited institution of higher learning. This mem- n Problem solving or unbiased recommendations for products and services from peers bership class carries the same privileges as that of a General Member except that Student Members n Gain leadership experience may not vote on Association matters or hold an office on the ISSA International Board. There is no n All n None restriction against students forming a student chapter. Most challenging information security issue? CISO Executive Membership: $995 (USD) plus chapter dues n Governance, risk and compliance The role of information security executives continues to be defined and redefined as the integration n Securing the mobile workforce and addressing consumerization of business and technology evolves. While these new positions gain more authority and respon- n Data protection n Application security sibility, peers must form a collaborative environment to foster knowledge and influence that will n Security and third party vendors n Security awareness help shape the profession. ISSA recognizes this need and has created the exclusive CISO Execu- n Threat updates n Legal and regulatory trends tive Membership program to give executives an environment to achieve mutual success. For more n Endpoint security n Incident response information about CISO Executive Membership and required membership criteria, please visit the n Strategy and architecture CISO website – http://ciso.issa.org. n All n None Which business skills would be most valuable for your professional growth? Credit Card Information n Presenting the business case for information security n Psychology behind effective security awareness training Choose one: n Visa n MasterCard n American Express n Budgeting and financial management n Business forecasting and planning n n Card # ______Exp. Date ______Management and supervisory skills Legal knowledge n Presentation skills n Negotiation skills Signature ______CVV code ______n Written and verbal communications n All n None

ISSA Chapters & Annual Dues Changes/additions – visit our website – www.issa.org At-Large ...... 25 Switzerland...... 80 Central Florida ...... 25 Inland Empire ...... 20 North Oakland ...... 25 Silicon Valley ...... 30 Turkey ...... 30 Central Indiana ...... 25 Kansas City ...... 20 Asia Pacific North Texas ...... 20 South Bend, IN (Michiana) .. 25 UK ...... 0 Central New York...... 0 Kentuckiana...... 35 Chennai...... 0 Northeast Florida...... 30 South Florida ...... 20 Central Ohio ...... 20 Kern County ...... 25 Hong Kong ...... 0 Latin America Northeast Indiana ...... 10 South Texas ...... 30 Central Pennsylvania...... 20 Lansing ...... 20 Philippines ...... 20 Argentina...... 0 Northeast Ohio ...... 20 Southeast Arizona ...... 20 Central Plains...... 30 Las Vegas ...... 30 Singapore...... 10 Barbados ...... 25 Northern New Mexico...... 20 Southern Indiana ...... 20 Central Virginia ...... 25 Los Angeles ...... 20 Sri Lanka ...... 10 Brasil...... 5 Northern Virginia...... 25 Southern Maine...... 20 Charleston...... 25 Madison ...... 15 Sydney ...... 0 Chile ...... 30 Northwest Arkansas...... 15 Southern Tier of NY ...... 0 Charlotte Metro ...... 30 Mankato ...... 20 Tokyo ...... 30 Colombia ...... 5 Oklahoma ...... 30 St. Louis...... 20 Chicago...... 30 Melbourne, FL...... 25 Victorian...... 0 Ecuador ...... 0 Oklahoma City...... 25 Tampa Bay ...... 20 Colorado Springs ...... 25 Memphis ...... 30 Lima, Perú...... 5 Omaha...... 0 Tech Valley Of New York .... 35 Europe, Middle East Connecticut ...... 20 Metro Atlanta...... 30 Puerto Rico ...... 35 Orange County ...... 20 Texas Gulf Coast ...... 30 & Africa Dayton...... 25 Middle Tennessee ...... 35 Uruguay ...... 0 Ottawa ...... 10 Toronto ...... 20 Brussels European ...... 40 Delaware Valley ...... 20 Milwaukee ...... 30 Palouse Area ...... 30 Tri-Cities ...... 20 Egypt ...... 0 North America Denver...... 25 Minnesota ...... 20 Phoenix ...... 30 Triad of NC ...... 25 France ...... 00 Alamo...... 20 Des Moines ...... 30 Montana ...... 25 Pittsburgh ...... 30 Tucson, AZ ...... 10 Irish...... 155 Alberta...... 25 East Tennessee ...... 15 Montreal...... 0 Portland ...... 30 Upstate SC ...... 0 Israel ...... 0 Amarillo ...... 25 Eastern Idaho ...... 0 Motor City ...... 25 Puget Sound ...... 20 Utah ...... 15 Italy ...... 65 ArkLaTex ...... 0 Eastern Iowa ...... 0 Mountaineer ...... 25 Quebec City...... 0 Vancouver ...... 20 Netherlands ...... 30 Baltimore...... 20 Fort Worth ...... 20 National Capital...... 25 Rainier...... 20 Ventura, CA ...... 30 Nordic ...... 0 Baton Rouge...... 25 Grand Rapids ...... 0 New England ...... 20 Raleigh ...... 25 West Texas ...... 30 Poland...... 0 Blue Ridge...... 25 Greater Augusta...... 25 New Hampshire ...... 20 Rochester ...... 15 Yorktown ...... 30 Romania ...... 0 Boise ...... 25 Greater Cincinnati ...... 10 New Jersey ...... 20 Sacramento Valley ...... 20 Saudi Arabia...... 0 Buffalo Niagara...... 25 Greater Spokane ...... 20 New York Metro...... 55 San Diego ...... 30 Germany...... 30 Capitol Of Texas ...... 35 Hampton Roads...... 30 North Alabama ...... 15 San Francisco ...... 20 Spain...... 60 Central Alabama ...... 0 Hawaii ...... 20 North Dakota ...... 25 SC Midlands ...... 25 ISSA Member Application 01/15 Securing the Cloud | Barettè Mort ty controls by keeping documents up-to-date, capturing met- 6. Cloud Standards Customer Council, November 2014. – rics, conducting analysis, and providing reporting status [7]. http://www.cloud-council.org/CSCC-Cloud-Interopera- Utilizing the concept of defense in depth will allow for a bility-and-Portability.pdf. multilayered defense that will assist with the protection, 7. Computer Security Division, Computer Security Re- detection, and reaction capabilities provided in the system source Center, Risk Management Framework Overview, mitigation efforts. This strategy allows for the use of various NIST, April 2014 – http://csrc.nist.gov/groups/SMA/fis- security methodologies and tactics to be placed in the system ma/framework.html. at every possible level. If one area of the system succumbs to 8. Erl, Thomas, Mahmood, Zaigham, Puttini, Ricardo. attack, the next layer will have another defense. “The goal is to Cloud Computing: Concepts, Technology and Architec- place enough defensive measure between our truly important ture, Prentice Hall, 2014. assets and the attacker so that we will both notice that an attack is in progress and also buy ourselves enough time to take 9. Fennelly, Lawrence J., Effective Physical Security, 4th Edi- more active measures to prevent the attack from succeeding” tion. Butterworth-Heinemann, November 2012. [1]. 10. Grobauer, Bernd, Walloschek, Tobias and Stöcker, El- mar. Understanding Cloud Computing Vulnerabilities, Conclusion InfoQueue, August 2011 – http://www.infoq.com/arti- The model of cloud computing is evolving and standards are cles/ieee-cloud-computing-vulnerabilities. still being defined. There are challenges that are unknown in 11. Halpert, Ben. Auditing Cloud Computing: A Security and the early state of cloud computing, but in the face of challenge Privacy Guide, John Wiley and Sons, 2011. there is opportunity. 12. Hwang, Kai, Fox, Gregory C., Dongarra, Jack J., Distrib- The attractiveness and accessibility of the Cloud demands uted and Cloud Computing, Morgan Kaufmann, Decem- attention, and while still in its infancy it is being widely em- ber 2013. braced. With all of the attention, it also becomes a target. The 13. IBM developerWorks, http://www.ibm.com/developer- vulnerabilities of the systems and the persistence of attack- works/cloud/library/cl-hypervisorcompare/. ers will cause the challenges of cloud computing to continue. As progress is made across many areas of cloud computing, 14. Kerner, Sean M., “Scrubbing Data a Concern in Digital research and investigation indicate that cloud security con- Ocean Cloud,” eWeek, January 2014 – http://www.eweek. cerns are addressed by implementing sound security mea- com/cloud/scrubbing-data-a-concern-in-the-digital- sures. Users are recommended to consider a security plan for ocean-cloud.html. cloud computing even if one is hesitant to embrace it. 15. NIST Cloud Computing Standards Roadmap Working Group. NIST Cloud Computing Standards Roadmap, References NIST SP 500-291, July 2013 – http://www.nist.gov/itl/ 1. Andress, Jason. The Basics of Information Security: Un- cloud/upload/NIST_SP-500-291_Version-2_2013_ derstanding the Fundamentals of InfoSec in Theory and June18_FINAL.pdf. Practice. Syngress, June 2011. 16. Sheikh, Shah. A Holistic Security Approach to Cloud 2. Badger, Lee, Bohn, Robert, Chu, Shilong, Hogan, Mike, Computing, ISACA, 2013 – http://www.isaca.org/Jour- Liu, Fang, Kaufmann, Viktor, Mao, Jian, Messina, John, nal/archives/2013/Volume-5/Pages/JOnline-Does-Your- Mills, Kevin, Sokol, Annie, Tong, Jin, Whiteside, Fred, Cloud-Have-a-Secure-Lining.aspx. Leaf, Dawn, 2010. US Government Cloud Comput- 17. Tahlia, Domenico, Trunfio, Paolo, Marozzo, Fabrizio. ing Technology Roadmap, Volume II, Release 1.0, NIST Data Analysis in the Cloud: Models, Techniques and Ap- SP 500-293, November 2011 – http://www.nist.gov/itl/ plications, Elsevier, 2015. cloud/upload/SP_500_293_volumeII.pdf. 18. Zamora, Edward. “Cloud Testing Methodology,” SANS, 3. Brumfield, Janet.Verizon 2015 Data Breach Investiga- July 2015 – https://www.sans.org/reading-room/white- tions Report, Verizon, April 2015 - http://news.verizo- papers/testing/cloud-assessment-survival-guide-36427. nenterprise.com/2015/04/2015-data-breach-report-info/. 4. Burr, William E., Dodson, Donna F., Polk, W. Timo- About the Author thy. Electronic Authentication Guideline, NIST SP 800- Barettè Mort is a security professional with 63, April 2006 – http://csrc.nist.gov/publications/nist- Raytheon. She has worked in the industries pubs/800-63/SP800-63V1_0_2.pdf [updated version of finance, web development, consulting, and http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ defense. She holds a Master’s degree in Sys- NIST.SP.800-63-2.pdf ]. tems Engineering from George Washington 5. Catlet, C. Cloud Computing and Big Data. IOS Press, University, and a Bachelor of Science degree 2013. in Computer Science from the University of Southern Mississippi. Barettè can be reached at barette@ gmail.com.

January 2016 | ISSA Journal – 39 They’re everywhere. SECUREWORLD Cyber threats. Cybersecurity Conferences Minsk. Karachi. Marseille. Beijing. Not CHARLOTTE: Feb 11 to mention Mayberry RFD. BOSTON: Mar 29 - 30 PHILADELPHIA: Apr 20 - 21 In all guises. Crime syndicates. KANSAS CITY: May 4 Clandestine agencies. Pimply HOUSTON: May 11 adolescent psycho-prodigies. ATLANTA: Jun 1 - 2 PORTLAND: Jun 9 The only thing anyone knows for sure is: CINCINNATI: Sep 8 you’re here. And that’s where airtight, buck- DETROIT: Sep 14 - 15 stops-now security has to happen. DALLAS: Sep 27 - 28 DENVER: Oct 5 - 6 That’s what we’re uniquely about. Distilling the ST. LOUIS: Oct 18 - 19 global complexities of cybersecurity down to your city, BAY AREA: Oct 27 your network, your shot at a decent night’s sleep. SEATTLE: Nov 9 - 10 How do you consult, collaborate and kvetch with like-minded area companies?

SecureWorld connects you to all the players in your local cybersecurity community, giving you access to practitioners, thought leaders, and vendors who come to you.

Let’s talk.

In this world, too close for comfort is a contradiction in terms.

SecureWorld. See globally. Defend locally.

Shaping the Conversation Connecting you to larger forums, articles and gatherings to shape the conversation. Visit us today at www.secureworldexpo.com to sign up for exclusive web conferences and subscribe to the SecureWorld Post.

www.secureworldexpo.com

SECU0185_ISSA_Mag_Ad_DEC_2015.indd 1 12/18/2015 10:35:07 AM