I attended a Cisco Systems briefing early this week about its Smart Connected Communities initiative. Once again Cisco demonstrated its forward thinking by bringing together various government initiatives under the umbrella of what they call Smart Connected Communities.  A Smart Connected Community is built on IP-based infrastructure. This means that all of the critical components of a city infrastructure like utility, transportation, healthcare, commercial buildings, and emergency response systems connect via an IP-based network.

Overall, it was a good update briefing. But I was surprised to hear just how confident Cisco is that securing this networked infrastructure is a no brainier. When I asked the presenter: “Given that network infrastructure is not nearly as robust and secure in some emerging geographies, how are you planning to ramp up the backbone and make the network secure enough end-to-end to run smart services?”

The presenter agreed that we need to strengthen the network backbone and provide sufficient bandwidth and robustness to run smart services.  However, I was astonished to hear that he thought security is not as much of an issue. In his opinion Cisco is well versed in providing a secure infrastructure and they have implemented security in diverse environments like the financial, retail, and government sector.

Unfortunately, I’m not sure I share Cisco’s confidence. If security is that easy to implement then why are so many companies incurring heavy fines when they regularly fail compliance mandates. Day in and day out, why do so many companies worry about business and partner access as they expand their global operations? Why are utility companies light years away from being secure, as evidenced by their meters and power distribution systems that are prone to security breaches? In the smart connected environment, healthcare, financial institutes, retail, utility, and transportation companies will need to comply with industry-specific compliance requirements as well as broader government regulations to make the puzzle even more complex. Walking the path to this smart connected infrastructure comes with a magnified set of challenges for CIOs and CISOs. Among many things they will have to manage thousands of IP endpoints connected on the smart backbone.  At the same time, B2B security will become imperative as they would interact with many non-conventional partners that they’ve never dealt with in the past.

My take? Security should be at the top of the list when building these smart connected communities. We haven’t solved this challenge by a long shot. In fact, I fear it can prove to be the Achilles Heel when integrating disparate components together.   

I’m interested in your thoughts. What role will security play in Smart Connected Communities? Is Cisco right, we’ve already got it all figured out?

[posted by Usman Sindhu]

Bill Brenner at CSO recently wrote an interesting piece highlighting the urgency of having a cybersecurity leader. Although I do not agree with him that the simple DDOS attacks on government Websites could have been prevented by having a Cybersecurity Czar, I do agree with him that we need a cybersecurity leader – now!  

We all rejoiced when President Obama ordered a 60 day cybersecurity review shortly after taking office. We were all excited when, on May 29th, a report summarizing the findings of the cybersecurity review was released and the president declared cybersecurity as a national security priority for his administration, and a personal goal for him. The President promised to appoint a cybersecurity coordinator (Cybersecurity Czar) and assured that the new official will have regular access to the Oval Office. Many of us (security pundits) were ecstatic and  offered suggestions and praise. We were all a little disappointed that he did not name the new “coordinator” that day, but we were assured that the appointment would be announced soon. It has been more than sixweeks since that announcement – and there is no appointment in sight. Obviously there is no shortage of rumors on whom the next Cyber Czar will be or why the President hasn’t named one .

We understand that things move slowly in government and that the President has a lot of other pressing issues that he needs to deal with, but here are five reasons that the appointment of a Cybersecurity Czar (coordinator) is a matter that requires urgent attention:

1. There is a lot of money being spent on cybersecurity everyday – with no comprehensive strategy. Not only are individual agencies spending millions of dollars on cybersecurity but a highly classified, multiyear, multibillion-dollar project, approved by the Bush Administration called CNCI -- or "Cyber Initiative" – had a budget of $30 billion. This initiative was implemented with the goal to secure government, commercial and critical infrastructure computer systems against foreign and domestic intruders. We are talking big bucks here. Would you as a CISO let your business areas spend on security initiatives as they please without any coordination, communication or strategy?  
2. Critical infrastructure needs immediate help. Our critical infrastructure needs help. It is antiquated, prone to viruses and worms, and people doing stupid things ultimately leading to costly disruptions in service. Add to this the potential threats associated with foreign government hackers (Electricity Grid in U.S. Penetrated By Spies) and you’ve got an urgent matter on your hands. Other critical infrastructure breaches (FAA says info on 45,000 workers stolen in data breach) and commercial data losses (Hackers Breach Heartland Payment credit card system) brings no consolation.
3. FISMA has utterly failed at securing government infrastructure. We have all come to realize that FISMA has done little to improve the security of government systems, and created an additional layer of processes and a healthy revenue stream for beltline consulting companies. The Cybersecurity Czar needs to take over the responsibility of ensuring FISMA 2.0 is in line with the current realities on the ground and is able to change the focus from “compliance” to security.  
4. Capture the momentum and excitement. I have never seen such optimism and excitement in the security industry for a government initiative. Security experts and the industry at large is offering to help in whatever capacity they can to improve the nation’s cybersecurity posture. We need to seize the opportunity and come up with a defined strategy (not high level goals and objectives) and strong leadership that can channel this energy into positive action.
5. Perception is almost as important as reality. Many people hailed Mr. Obama’s speech on May 27^thas a strong warning to our adversaries that we are serious about security. The recommendations from the cybersecurity review were also heralded as the right first step. But nothing has happened since. We don’t have a plan, any specifics on how those recommendations will be implemented nor a Cybsersecurity Coordinator. By not following it up with action, what message are we sending? We need to at least be perceived as taking security seriously.

Do you agree that we need a Cybersecurity Czar in the first place? What kind of skill-set do we need in a Cybersecurity Czar? Who do you think will be Mr. Obama’s pick? As always, I’d value your feedback, comments, and thoughts.   

[posted by Khalid Kark]

The launch of any new research report is exciting, but I’m especially happy to see the publication of the The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009.

The evaluation speaks for itself. Forrester goes through great pains to assure a fair, detailed process that looks into the strengths and weaknesses customers care about most — and this Wave is no exception. But considering the amount of time and effort we spent putting this report together, I wanted to provide some additional thoughts on what I learned during the process:

• Wave research is very rewarding. Among best practices, trends, and other reports, the Wave research is probably the most enjoyable for me and beneficial to our corporate customers. In a relatively short time period, I sat through hours and hours and hours of product demos (really, it’s not as bad as you think), debated with vendors about market dynamics, and analyzed massive amounts of customer reference data. During the evaluation process, I was also working on several vendor selection projects with Forrester customers. Since the Wave criteria are based on buyer demands, the research I was doing was very applicable to my customer engagements as well.

In additional, the comprehensive and transparent nature of the Wave methodology helps to justify all of the scores and analysis. That means that if a customer (or former colleague) has a question about any of the results, they are able to see exactly what criteria I used and why I scored each vendor the way I did (and then of course they can proceed to agree or disagree as they see fit).

• It’s impossible to include everything. The GRC landscape is vast. For every vendor that appeared in the Wave, there were probably at least two more that wanted to be included. Some were not invited because they didn’t meet all of the participation criteria, while others were invited but declined to participate because they couldn’t meet our required information requests and/or deadlines. The vendors evaluated here, however, have demonstrated strong customer successes and ability to meet the market demands we see from the hundreds of GRC inquiries and advisories we do every year.

One thing you may not be able to tell from the graphic alone is how each vendor is trending relative to their market position. Yes, the vendors that have stayed on top of the Leaders category have had to work very hard to maintain that position. However, it’s often other vendors that are showing the most innovation and progress. In fact, I spend quite a bit of time discussing this in the Wave report as well as a podcast I recently recorded.

• GRC buyers and implementation are more mature. While this will come out more in upcoming reports, GRC buyers and users are more sophisticated than ever. Current budget constraints may require implementations to start very small, but more and more, organizations are seeing long-term value of comprehensive GRC that spans across compliance, risk, audit, IT, and other departments.

Software firms have responded appropriately, which means they can't be easily segmented by which vendors target risk management professionals or which target compliance professionals... the best ones are addressing all relevant users. With that in mind, I chose not to segment out separate Wave graphics for Governance users, Risk users, and Compliance users. If we are truly set on the unique value GRC brings by combining these functions, we should focus on solutions that address each of their needs simultaneously.

For customers that are looking for solutions that skew to specific areas of GRC, I would recommend using our Wave model to adjust the score weightings to meet your unique needs. Are you more interested in products that can help automate your control testing? Do you care more about training and awareness capabilities? You can adjust the weightings of these criteria as you see fit, and then see which vendors rise to the top of your own custom Wave.

I wanted to thank all of the vendors that participated and the teams that spent time gathering the necessary information for our evaluation. For those that did not participate, rest assured... we still get a lot of customer inquiries asking for details about vendors that are not in the Wave. And so it is of course my intention to keep up to date with all vendors in the GRC market.

For GRC buyers, there are of course questions that you have that could not be fully covered in this report. I encourage you to look through the details of our evaluation, and feel free to set up an inquiry to discuss any other issues in more detail.

[posted by Chris McClean]

I came across an interesting article discussing how the U.S. Department of State has recently shown interest in adopting network access control (NAC) tools that perform pre-admission access control. The intent is driving the development of standards that help organizations secure their network from malicious hacker attempts. There is a mounting concern that the nation's critical infrastructure — ranging from the electricity grid to banking systems to defense contractors — is far from being secure. To this end, the SANS (SysAdmin, Audit, Network, Security) Institute has worked with security professionals both inside and outside of government agencies to develop the Consensus Audit Guidelines. There are 20 controls in this program to tackle cybersecurity issues. NAC is identified to help with “Critical Control 12: Malware Defenses.”

NAC helps organizations create or leverage existing security policies by enforcing them at the various layers of the network. The most common use case for NAC is to enforce policies for keeping endpoints up-to-date; this includes patch management and system configuration. However, this is a pretty rudimentary use case. NAC is much more valuable when applied to the automation of various security, asset management, and access control policies. That’s why NAC is such a good fit in many cybersecurity initiatives. Specifically, it can help: 1) develop a secure B2B environment; 2) build a secure Smart Grid; and 3) streamline government and industry compliance mandates like FISMA, NERC, PCI DSS, and HIPAA.

We predict NAC tools will play an important role in end-to-end access control lifecycle management. The majority of cybersecurity initiatives require an ongoing management of user identity tied to specific users’ devices and applications. But there will need to be some enhancements beyond today’s standard NAC deployment. The industry needs to build out support for the TNC IF-MAP standards. Doing so will make sure NAC plays a critical component in building out: 1) IAM-based solutions to provide role-based access control; and 2) next generation SOC initiatives that leverage SIM to monitor assets and devices for vulnerabilities and threats.

The U.S. Department of State’s interest in implementing Consensus Audit Guidelines in conjunction with NAC is encouraging, but at the same time it's important not to pigeonhole NAC’s functions to commodity features like pre/post admission, remediation, and policy enforcement. Organizations should look at the bigger picture and specifically how NAC can help streamline security operations by automating and performing recursive security tasks.

Can NAC help the federal government to streamline controls for cybersceurity initiative?

Based on the facts, I’ve concluded that:

We are now approaching the half-way point of 2009, and most of us are still trying to figure out the nature and scope of regulations that will descend in reaction to the massive corporate failures of the last 9 months. Considering the hefty burden brought by Sarbanes-Oxley in reaction to — by comparison — less egregious issues, it’s no wonder risk and compliance professionals are waiting with nervous anticipation.

New legislation continues to pass at a fast clip in the US under the new administration, however we have only seen pieces of what we can expect will be significant changes to the regulatory controls mandated for many aspects of corporate operations.

Some of the most revealing actions taken so far include:

- May 20, 2009 - President Obama signed the Fraud Enforcement and Recovery Act of 2009.  FERA allocates substantial budget (more than $300 million) to the SEC, FBI, Justice Department, and other agencies to investigate “possible criminal, civil, or administrative violations and for criminal, civil, or administrative proceedings involving financial crimes and crimes against Federal assistance programs.” It will also create a commission to explore possible causes of the financial crisis, including regulatory mistakes, fraud, poor compensation practices, and over-reliance on numeric tools such as risk models and credit ratings.

- June 12, 2009 - United States Congressman Gary Peters introduced his Shareholder Empowerment Act to the House. This bill would give shareholders greater voice in votes on executive compensation and board membership as well as more disclosure on specific performance targets and bonuses. Senator Charles Schumer proposed similar legislation on May 19th. The one major addition in Senator Schumer’s Shareholder Bill of Rights Act of 2009 is the requirement that all public companies have an independent board-level risk committee, whose responsibility would be “the establishment and evaluation of the risk management practices of the issuer.”

- June 17, 2009 - President Obama outlined plans for more sweeping reform of financial regulations that would aim to consolidate supervision over all firms that pose a risk to the financial system as a whole.  Specifics are still in the works, but the Treasury Department explained that aspects of this regulation would include the creation of an agency to protect consumers by further regulation of firms that provide credit, savings, payments, or other financial services; further protection of corporate whistleblowers and larger sanctions for regulatory enforcement; review and possible modification of risk management guidance based on Basel II; and increased international cooperation to enforce anti-money laundering and terrorist funding standards.

Themes among these legislative actions include fraud prevention, transparency, shareholder and consumer rights, and stronger risk management oversight. The burden will be placed squarely on risk and compliance professionals and their cohort in the IT department. Even more visibility and control will be required for financial transactions as well as the context (emails, voice mails, related transactions, etc.) in which they took place. Monitoring and reporting more detailed risk information to regulators as well as potentially to a risk committee will also require a level of rigor most companies are not yet set up to tackle.

By now, plans should be in place to start addressing some of these high level concerns.  The exact methods and timelines by which organizations will need to comply with these new regulations are still being worked out, however it’s quite clearly a matter of when, not if they will come. And for those of you not working in financial services, please note that much of the focus has been on public companies as a whole, not just those in the financial sector.

As always, you’re welcome to share your thoughts on how your company is preparing, and whether you expect these new regulations to have more or less of an impact on risk and compliance departments compared to SOX.

Chris McClean
 

In the old days criminals like Robin Hood and Don Corleone had scruples. Remember when Don Vito stood up to Virgil "The Turk" Sollozzo and refused to become involved in the heroin trade? The Don stood for honor at the cost of a couple of bullets.

It seems that modern cyber criminals are more like Sollozzo. One disturbing trend seems to be the exploitation of nonprofits to enumerate valid credit card numbers. Recently, some nonprofits have been inundated with bogus, fraudulent donations. Typically the donations are small amounts, although larger donations have been seen. When the nonprofit organization goes to reconcile these transactions, they discover that the account is fraudulent. Unfortunately, these organizations may suffer from chargebacks as well as concurring the enormous effort involved in straightening this stuff out.

It appears that these credit card thieves are using the donation websites to try to determine which cards are valid and therefore, which numbers they can sell to their clients for more nefarious purposes.

If any of you have experienced something similar, we'd love to hear about it. Cyber crime is a fact of life in the Internet age, but targeting nonprofits and charitable organizations is beyond the pale. No one expects thieves to renounce their life of crime, but is just a little bit of honor too much to ask? 

I’ve been doing a lot of research into the consumer security market lately, and with it the rise of consumer security freeware (AVG, etc). One of the interesting findings is that those who use security freeware are not primarily motivated by price. In fact, price is less of an influence on their selection than it is for the consumers who use paid security products.

You all wear IT security hats during the day. But if you’re like me, that hat never gets completely removed when outside of work either: you protect your computers at home, and you also help protect those of your family members, your friends, and the occasional neighbor or two. Indeed, when it comes to computer security, you’re likely a savvy consumer shopper and a strong influencer of other people's purchases. So if you use free consumer security software, considered using, or used it and switched back to pay versions, take a look at my new post on the security freeware trend. I’d love to hear your thoughts on this.

This morning, US President Barack Obama unveiled the outlines of a change in direction for US cyber-security policy. The first announcement relates to the creation of a new military command that will centralize and expand on existing cyber-war-fighting capabilities. This is overdue, and should bring more coherence to efforts that were already spread out between several different military branches, notably the Army, Navy and Air Force), and the intelligence services. The NSA, for example, has long had a “red-team” offensive capability in addition to defensive corps. As I understand it, the new military cyber-command will reside in the Department of Defense. Less clear is whether the new organization will just be a military operation, or whether it will also take over parts of the intelligence services’ capabilities.

The second part of today's announcements, the Cyberspace Policy Review, seeks to reform the way the US Government secures itself, its agencies and critical infrastructure like the stock exchanges. As reported in a story in the New York Times, the reforms will create a new office residing in the White House that will report to both the National Economic Council and the National Security Council. The remainder of this blog post analyzes what the plan, which was unveiled at 11 today, recommends.

Where We Came From

But first, a little background. Most security-watchers know that the last big attempt to improve government security was FISMA, the Federal Information Security Management Act. The Act codified an approach to protecting government systems. It required all federal agencies to assess the risk of their information systems, implement minimum baseline security controls as defined by NIST, and most critically, certify and accredit that each agencies' systems had in fact implemented the required security controls. The tangible outcome of the process was a related “scorecard” exercise undertaken by the House Oversight and Government Reform Committee. The idea was to give letter grades (A through F) to each agency.

In theory, this sounds like a good idea. In practice, it did little to improve security. The evidence is everywhere. We've all read the reports in the news about perfidious Chinese hackers, opportunist Ruskies and the like snooping around federal systems and systematically looting them of all their treasures. The picture painted in the press is of a government whose variously-accredited and certified systems are nonetheless wide-open to hackers. While it's hard for most people to get a real sense of the scope of the problem from the papers, people I've spoken to who do government contract work for a living tell me that the stories we've seen are just the tip of the iceberg. And on a personal note, I can tell you that in my past I've helped investigate an incident involving an attack on a military weapons program by foreign attackers. So the dangers seem clear and present to me.

What’s Wrong with the Current Approach?

So, what's wrong with FISMA, and what does this review address? In my view, FISMA serves a useful function because it defines how the risk assessment, control selection and audit processes are supposed to work at a federal level. This is a good, but it is important to remember that FISMA is mostly about compliance with a security program and its processes, and not about the effectiveness of the security itself. Practically speaking, what FISMA and the annual House scorecarding ritual did was:

• Create incentives to “finish the audit” rather than make systems more secure
• Force answers to the wrong question: “are you accredited” rather than “how secure are you?”
• Conflate compliance with security
• Create a strange new vocabulary out of step with the private sector. (Ask Goldman Sachs or Bank of America about the importance of their “accredited systems” and they will look at you like you have two heads)
• Focus on inputs (controls) rather than outputs (KPIs and attacks)
• Divert vast amounts of cash to auditors and other “process”-focused Beltway Bandits

And beyond FISMA, the current approach did not:

• Effectively share attack and intrusion data with the private sector
• Coordinate the federal agencies with shared responsibilities for security: Homeland Security, Defense, Justice, Energy, Treasury and others
• Consolidate responsibilities for cyber-defense and responding to attacks

What the Review Recommends

The review recommends the following 10 actions, which I have reprinted and lightly edited:

1. Appoint a cybersecurity official responsible for coordinating the Nation’s policies and activities with dual reporting to the National Security Council and National Economic Council. The new policy chief would establish a new NSC directorate to coordinate interagency strategy and policy
2. Prepare an updated national strategy to secure the information and communications infrastructure
3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics
4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate
5. Identify legal issues and recommend policies that would clarify roles, responsibilities, and the agency authorities needed to coordinate cybersecurity-related activities across the Federal government
6. Initiate a national public awareness and education campaign to promote cybersecurity
7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen international partnerships in this area
8. Prepare a cybersecurity incident response plan; enhance public-private partnerships to streamline, align, and provide resources to increase their contributions and engagement
9. Conduct R&D on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure
10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

What the Review Gets Right

• Correctly identifies that there are too many barriers for inter-governmental collaboration, and with the private sector. Some of these barriers are organizational, and others are legal. For example, under what legal authority could the government acquire attack data from a privately held stock exchange? Another example: do liability (discovery) fears prevent the private sector from sharing data? Aligning the legal régime with simple common sense would be terrific.
• Focuses on intrusion detection and response (outcomes) rather than the checklists (inputs). I noticed, for example, that the words “accreditation” and “certification” appear nowhere in the document, while “intrusion” appears 14 times.
• Earmarks R&D dollars to find and develop new security technologies. This is too important to be left solely to the private sector.
• Calls out preservation of civil liberties as an explicit goal, with participation from the private sector and what the review calls the “privacy community,” which I can only imagine means organizations like the EFF, EPIC, and the Ponemon Institute. This is the sort of language that we would never have seen in, for example, a plan authored by the President's predecessor.

Where It Misses Opportunities

• Places too much faith in “consumer education” around topics like fraud and identity theft. Consumers know very well that the internet is a dangerous place, full of predators and identity thieves. The government should instead be asking, why is the information consumers have on their PCs so valuable? And what can the government do to move authentication beyond the broken password paradigm most users follow today?
• Too timid with respect to identity management. True, the report mentions expanding the HSPD-12 federal credentialing and authentication programs across the government, which is good. And it does recommend the US government “develop policies that encourage the development of a global, trusted eco-system that protects privacy rights and civil liberties.” That is great, but the report could have gone further and recommended the US do what many European countries have already done: make the government a “trust anchor” as the source for national digital identities.
• Misses an opportunity to mobilize action on existing critical infrastructure, notably SCADA (energy) and transportation, particularly the air-traffic control system. These areas are only hinted at in the review, and these few mentions lack a high degree of urgency.

Overall, there is more to like about the Cyberspace Policy Review than dislike. It correctly shifts the emphasis from process to outcomes, and makes pragmatic recommendations on how to remove barriers to getting things done. This is all good.

What it Means for the Private Sector

For Forrester customers in the commercial and private sectors, the Cyberspace Policy Review will not mean much in the very short term. The document merely recommends changes to the direction of future US policies. We are a long way off from seeing legislation that would obligate enterprises to do anything differently than they are doing today. However, over the medium term the recommendations will inform policy decisions lawmakers must make. As a result, I expect the private sector can expect:

• Increased focus on sharing security incident data with sector ISACs and with the government — on a voluntary basis, at first
• Increased government involvement in setting direction for identity management — probably stopping just short of a national digital identity initiative
• Gradual removal of anti-trust and discovery/liability disincentives to share security information
• Much stronger focus on incident response and penetration testing, both at the federal level and as a recommended industry “best practice”

Overall, the document signals quite clearly that our previous approaches were not working. One might say that Hope — something President Obama campaigned on — will not be sufficient when to comes to cyber-security. Ironic, no?

I'd recommend you read the Cyberspace Policy Review yourself to draw your own conclusions. It is about 75 pages, and not a difficult read. As always, I value your comments and e-mails.