Written by Neha Jain, Co-Chair of India’s CSR Board
Continuing in our commitment to sustainability, Akamai is excited to announce the launch of our accelerator program supporting innovators and building solutions to address India’s water challenges. A concerted effort by the Akamai India leadership team, the accelerator program is being launched at a time when we are witnessing a rising demand for water globally, caused by exponential population growth coupled with a changing climate that is making rainfall less predictable. Closer to home, here in Bangalore, India, we are witnessing the impact of rapid urbanization on our water resources like never before.
From our past experience with Corporate Social Responsibility (CSR) initiatives and supporting social purpose organizations in India, our India leadership team was eager to build a program that has a strong focus on impact and also reflects Akamai’s core values of innovation, technology, and sustainability. After exploring various thematic areas, we selected water — spanning water conservation, groundwater recharge, water quality, efficient use of water resources, and water governance — all calling for the sustainable management and use of India’s scarce water resources.
After analyzing the available solutions and gaps, we realized that a critical area of need is for solutions that require support with refinement of their products, and ideas allowing for higher market-readiness and scale. We are excited to be a catalyst in this ecosystem and join forces with the Indian Institute of Technology Madras (IIT Madras) — one of India’s premier academic institutions — in this endeavor. IIT Madras has supported over 200 startups through its incubation programs and also houses the International Centre for Clean Water (ICCW), a first of its kind, in-house centre in India, exclusively set up to focus on supporting water innovations.
Together with our accelerator partner, we are excited to embark on this journey, and you will hear more from us and our grantees soon!
Stay tuned for more updates.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Courtney Hadden. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/1RQSs56DbK8/accelerator-program-for-early-stage-innovations-in-water-an-akamai-india-csr-flagship-initiative.html
An effective compliance program has a critical impact on an organization’s ability to operate with integrity, consistency, quality and maintain trust and credibility with organizational stakeholders including customers, partners, vendors, employees, and investors. It is also an important component of an effective risk management program.
When I was leading IT security and compliance engagements at a Big 4 firm, I helped many companies in the technology, fintech and financial services space design internal control environments to safeguard their information systems and data. I also conducted assessments of my clients’ internal control environments, to help them strengthen and streamline their risk posture. My clients asked me all kinds of questions that really revolved around one theme: At the end of the day,how do I make sure that what we’re doing as an organization is actually effective in mitigating the risks that matter?
In this article, I will discuss four key characteristics of an effective compliance program, why each one is important, and how these elements can be achieved. If your compliance program has these elements, you can be confident that you’re on the right track in mitigating the risks that matter.
This topic is timely, given how quickly the current cyber risk landscape is evolving. For instance, due to increasing connectivity between organizations and reliance on third-party vendors, third-party data breaches accounted for more than half of all data breaches in the first half of 2019. Meanwhile, newer data privacy laws like the GDPR and CCPA are difficult and costly to comply with, and they use steep fines and penalties to sanction non-compliant organizations.
The four signs of a mature and effective compliance program
An effective compliance program should align to a broader risk management strategy. Risk assessments should be performed at least annually, and more frequently for higher risk areas. The ultimate goal of an effective risk management strategy is maintaining a risk environment that is within an acceptable risk tolerance level for the organization. To accomplish this, an organization must identify their risks, define risk tolerances (risk levels that are acceptable) and then design controls in a manner that effectively addresses the risks.
Below, are some questions to consider in evaluating the quality of your compliance program:
Does your risk strategy include a comprehensive view that considers both existing and emerging risks?
How are risk tolerance levels defined?
Are key stakeholders involved in setting risk tolerance levels?
How effectively does the design of the control mitigate the risk?
Is there a control redundancy strategy, in case a critical control fails there is another control in place to address the risk?
Are your controls independently validated to confirm their effectiveness?
By using innovative compliance management software like Hyperproof, it is easy to ensure your control environment effectively aligns to your overall risk management strategy. As new risks are identified, Hyperproof provides visibility to see if existing controls are already in place to address the risks, or if new controls are needed.
Hyperproof also enables you to see the gaps between your existing control set, and what would be needed to adopt leading cybersecurity frameworks like NIST SP 800 series or the ISO 27000 series.
The design of the control impacts how effective the control is. Additionally, consistency in performing the control process is an important factor in having an effective compliance program. In this context, consistency means that your controls are operating at the specific time interval, and in the same manner, as they were designed to. To ensure that your controls are operating consistently, you’ll need to have sufficient oversight and visibility into the performance of control processes.
For instance, deploying patches is an important component of vulnerability management. If patches are not consistently deployed, at the time that they become available, your systems may be left exposed to vulnerabilities. As such, it is important to have visibility into control processes that were not performed timely so that you can quickly resolve issues. This is particularly important for high risk areas like vulnerability management.
Continuous compliance helps you manage risk more effectively. With continuous compliance, control processes are consistently performed, and evidence from the control processes are evaluated and actioned accordingly. If you are evaluating control processes on a continuous basis, you have an opportunity to refine your risk management strategies in real-time.
For example, if you are using a SIEM solution that does not have both logging and monitoring alerts turned on, it could potentially prevent notifications of attack indicators. The lack of notifications and alerts reduces the ability to make timely adjustments to network controls. This scenario could have been prevented with continuous compliance. Specifically, continuous compliance would have discovered, in a timely manner, that logging and monitoring alerts were not turned on.
I have found that many organizations delay collecting and evaluating evidence, until right before they need to submit that evidence to their auditor or security assessor. By delaying evidence collection and evaluation, organizations miss the opportunity to adjust and adapt their risk environment. If evidence is only collected and evaluated before an audit or assessment, the control process becomes a lagging indicator with little room for adjustment.
Technology can make a big impact, when adopting continuous compliance. For instance, you can use a compliance management solution like Hyperproof to keep all your evidence organized (e.g. linked to the right control/requirement) and use automated reminders to alert control operators to review controls on a regular basis and submit evidence on time.
Additionally, Hyperproof has a feature called ‘Freshness’. You can set a ‘Freshness’ policy to remind yourself and your team to review controls on a cadence and ensure that all controls are appropriately evaluated throughout the year. This helps ensure that no one will forget any of their compliance tasks, which ultimately makes your entire organization more secure and resilient.
Compliance operations software like Hyperproof can also eliminate duplicative work (e.g., having to collect the same piece of evidence five times to meet five different compliance frameworks) by helping users identify common controls and common evidence across compliance frameworks.
3. Governance and oversight
Governance and oversight is a key component of an effective compliance program. At the highest level, senior risk leaders need the right information to effectively monitor the effectiveness of the compliance program and make adjustments as needed. Adjustments may include areas such as incorporating new controls to address emerging risks, redesigning weak control processes to make them stronger, or developing new training to improve security awareness among employees.
At a tactical level, a compliance manager needs another set of information to understand how prepared they are for upcoming audits or assessments, quickly see which controls they need to act on, and ensure that control processes are performed correctly and on time. They should also have visibility into the issues that need immediate attention or escalation.
Getting sufficient visibility into the effectiveness of a compliance program can be a difficult challenge for many organizations. This is especially an issue for organizations that manage their compliance efforts in a variety of different tools such as elaborate spreadsheets, email inboxes, and file storage systems like Box, Dropbox or OneDrive.
However, when organizations start to manage all of their compliance projects in one single place, it becomes a lot easier to gather the right set of metrics for decision making.
For instance, Hyperproof gives organizations a central location where all of their compliance requirements, controls, and proof can be stored and managed so that compliance managers and external auditors can see everything in one streamlined system. It allows compliance managers to quickly answer questions such as, “Where are we with our evidence collection?”, “What controls need to be updated or redesigned?”, and “What do the examiners need to see?”.
Hyperproof also helps senior risk leaders understand how well their current compliance program stacks up against several best-in-class cybersecurity and data privacy frameworks.
Efficiency has to do with how well an organization is managing its resources, including time, employees, and budget. Being efficient means that your team is able to achieve quality, consistency and effective oversight with an optimal amount of resources. With limited resources, it is particularly important to focus your compliance efforts on the more critical areas.
Making compliance activities more efficient is key to reducing the cost of compliance, which always seems to be going up due to factors such as the rise of data privacy regulations, the growing awareness of third-party risks, a rise in vendor-to-vendor audits, and the shortage of cybersecurity talent.
In terms of operational efficiency, technology will be incredibly important. In fact, Hyperproof was built to help organizations become far more efficient in compliance management. Not only does Hyperproof serve as a single source of truth for all of your compliance activities, it can reduce the administrative work around collecting evidence and managing tasks (e.g., updating controls) by half.
Hyperproof comes with a set of features that enable greater efficiency, including:
Crosswalk: Helps users identify the overlapping requirements and controls between various compliance frameworks
Integrations with file storage systems where evidence is stored and productivity tools
Collaboration capabilities between compliance managers, control operators, senior leaders, and external auditors
Automated reminders to review controls and evidence
Smart folders and labels to efficiently link a batch of evidence to controls
Related content: The Complete Guide to Continuous Compliance
With compliance, it’s important to understand what it actually takes to become compliant and maintain that position. I have discussed four key elements of an effective compliance program. Organizational focus should be placed on quality, consistency, effective oversight, and efficiency. Deliberate attention to each area will ultimately lead to a well functioning compliance program.
Additionally, effective risk management is about being proactive instead of reactive. That includes quickly responding to the alerts indicating weaknesses of critical systems, and consistently evaluating/updating the control processes established for prevention/mitigation of potential security incidents.
When compliance costs are rising quickly for organizations of all industries, sizes and types, prioritizing the right areas — with a solution that is agile, intuitive and cost effective — becomes essential.
The post The Four Signs of an Effective Compliance Program: Quality, Consistency, Oversight and Efficiency appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Petrina Youhan. Read the original post at: https://hyperproof.io/resource/four-signs-of-an-effective-compliance-program/
Gmail automatically blocks more than 100 million phishing emails every day and warns people that are targeted by government-backed attackers, but you can further strengthen the security of your Google Account by enrolling in the Advanced Protection Program—our strongest security protections that automatically help defend against evolving methods attackers use to gain access to your personal and work Google Accounts and data.
Security keys are an important feature of the Advanced Protection Program, because they provide the strongest protection against phishing attacks. In the past, you had to separately purchase and carry physical security keys. Last year, we built security keys into Android phones—and starting today, you can activate a security key on your iPhone to help protect your Google Account.
Activating the security key on your iPhone with Google’s Smart Lock app
Security keys use public-key cryptography to verify your identity and URL of the login page, so that an attacker can’t access your account even if they have your username or password. Unlike other two-factor authentication (2FA) methods that try to verify your sign-in, security keys are built with FIDO standards that provide the strongest protection against automated bots, bulk phishing attacks, and targeted phishing attacks. You can learn more about security keys from our Cloud Next ‘19 presentation.
Approving the sign-in to a Google Account with Google’s SmartLock app on an iPhone
On your iPhone, the security key can be activated with Google’s Smart Lock app; on your Android phone, the functionality is built in. The security key in your phone uses Bluetooth to verify your sign-in on Chrome OS, iOS, macOS and Windows 10 devices without requiring you to pair your devices. This helps protect your Google Account on virtually any device with the convenience of your phone.
How to get started
Follow these simple steps to help protect your personal or work Google Account today:
Activate your phone’s security key (Android 7+ or iOS 10+)
Enroll in the Advanced Protection Program
When signing in to your Google Account, make sure Bluetooth is turned on on your phone and the device you’re signing in on.
We also highly recommend registering a backup security key to your account and keeping it in a safe place, so you can get into your account if you lose your phone. You can get a security key from a number of vendors, including Google, with our own Titan Security Key.
If you’re a Google Cloud customer, you can find out more about the Advanced Protection Program for the enterprise on our G Suite Updates blog.
Here’s to stronger account security—right in your pocket.
With help from Eric Geller, Mary Lee, Martin Matishak and Alexandra S. Levine
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at politicopro.com.
Story Continued Below
— Lawmakers and election equipment makers discussed researcher probesofthe companies’ wares at a rare hearing on Thursday.
— A major software industry organization raised doubts about a proposed Commerce Department rule for information and communications technology supply chain security.
— The risk of possible Iranian cyberattacks has stayed on the agenda for DHS, researchers and others.
HAPPY FRIDAY and welcome to Morning Cybersecurity! Stay strong, Betelgeuse. We’re all on your side. Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
THE ROAD TO A CVD — Voting machine vendors keep inching toward a coordinated vulnerability disclosure program, Thursday’s House Administration Committee hearing revealed, but there are still some hitches emerging toward fuller collaboration with researchers. John Poulos, CEO of Dominion Voting Systems, testified that his company reached out to an organizer of DEFCON’s machine-hacking Voting Village because it was “interested in a more collaborative penetration testing with stakeholders,” and actually sent modern certified systems, but an internal conference dispute led to scuttling those plans.
The CEOs of Election Systems & Software (Tom Burt) and Hart InterCivic (Julie Mathis) both said their companies had submitted equipment to Idaho National Laboratory, which conducts vulnerability tests with DHS. Overall, Burt said he doesn’t want to hand-select red teams but is “interested in making sure we attract hackers who can make our systems better without requiring that the information that they discover be put into the public domain,” and would like to see the Election Assistance Commission manage the program and choose researchers.
At the same hearing, Chairwoman Zoe Lofgren expressed concern about the potential for internet connectivity on vote tabulators, and the vendors voiced support for federal rules creating reporting requirements for companies’ cybersecurity practices.
I DON’T EVEN KNOW WHERE TO START — The Commerce Department’s proposed regulation for information and communications technology supply chain security is unworkable because it gives the Commerce secretary “unbounded discretion to review commercial ICT transactions, applying highly subjective criteria in an ad hoc and opaque process that lacks meaningful safeguards for companies,” the software trade group BSA said in comments filed this morning as part of the proceeding. The proposed supply chain rule, released in November, would let the government block U.S. companies from buying equipment and services that jeopardize national security. But BSA said the rule needed a serious overhaul.
BSA policy director Christian Troncoso wrote that the rule needed better transparency mechanisms and “procedural safeguards,” more precise definitions of what types of transactions and entities are covered and better-defined criteria for blocking those transactions. BSA called for exempting companies from the rule if they meet certain supply chain security standards, ensuring that “an official with adequate levels of political accountability” supervises the process and formally involving the intelligence community in decisions.
The group also urged changes such as requiring annual reports to Congress, giving companies more time to respond to a proposed decision and letting an independent interagency group reverse any decision. Absent these changes, Troncoso said, the rule’s “broad scope” and “vaguely defined standards” will “put U.S. companies at a competitive disadvantage.”
UPDATING MY PROFILE— CISA Director Chris Krebs and agency leadership met with acting Homeland Security Secretary Chad Wolf this week to discuss efforts to shore up election security and stave off potential cyberattacks originating from Iran following the U.S.-led airstrike. CISA is urging organizations to “assess their cyber readiness and take steps to protect their networks and assets, including heightened awareness, increasing organizational vigilance, confirming reporting processes, and exercising incident response plans,” according to a note.
They also discussed the mounting threat of ransomware and CISA’s efforts to support governments and businesses, as well as efforts to protect the 2020 elections from foreign interference, such as providing cybersecurity services and developing and exercising incident response plans.
IRAN’S STILL A THING, PART TWO — That recent Saudi Arabian alert about Iranian cyberattacks involves its hackers placing data-wiping malware on Bahrain’s national oil company Bapco, ZDNet pieced together. The new wiper strain is dubbed Dustman, and seemingly didn’t have the impact the hackers were looking for. And it doesn’t appear directly linked to the recent U.S.-Iran tensions, the outlet reported.
A Dragos report out Thursday highlighted an Iranian hacking group’s password-spraying attacks on the North American energy sector. “MAGNALLIUM’s increased activity coincides with rising escalations between the U.S. and allies, and Iran in the Middle East,” the report states. “Dragos expects this activity to continue.”
And Check Point released numbers on Thursday about the volume of Iranian attacks in the week since the U.S. launched missiles that killed general Qassem Soleimani showing no particular major uptick in attacks. Turkey was the top target of Iranian hackers, at 19 percent, compared to 17 percent for the U.S.
KIDS’ PRIVACY BACK IN THE SPOTLIGHT — From our friends at Morning Tech: As we await comprehensive data privacy legislation from Congress, a bipartisan pair of House Energy and Commerce lawmakers are offering a separate privacy measure — one aimed at bringing COPPA, the 1998 federal children’s online privacy law, up to date.
Reps. Tim Walberg (R-Mich.) and Bobby Rush (D-Ill.) on Thursday introduced the PROTECT Kids Act (shorthand for Preventing Real Online Threats Endangering Children Today), which would make location data and biometric data categories protected under the law; ensure that rules safeguarding children online also apply to apps on mobile phones; give parents more control over children’s data and consent; and task the FTC with reviewing the decades-old COPPA law and making recommendations on it to Congress.
“In the past, predators and perpetrators sought to harm our children by lurking near schoolyards and playgrounds,” Rush said. “But now — due to incredible advancements in technology — they are able to stalk our children through their mobile devices and in video game lobbies.”
Meanwhile, in the Senate: Sens. Ed Markey (D-Mass.), author of the COPPA bill, and Josh Hawley (R-Mo.) last spring introduced a bipartisan COPPA 2.0 bill (S. 748) that would, similarly, expand existing federal privacy protections for children and compel the FTC to enforce them. The agency is also doing its own self-reflection on whether COPPA rules need to be changed or updated.
RECENTLY ON PRO CYBERSECURITY — House and Senate Democrats urged the FCC to take on SIM swapping scams. … “Countries that award 5G contracts to Western-aligned companies over Huawei won’t be hobbling their transition to next-generation wireless networks, a senior State Department official said.” … Belgian security services advised the government to limit the use of “non-trusted suppliers.” … Companies are reacting to California’s landmark Privacy Act by interpreting the complex law as they see fit.
— Law firm Alston & Bird announced the election of 17 lawyers to its partnership, including Maki DePalo in the organization’s privacy and data security group.
— Intrusion Truth has returned with more information on Chinese tech companies recruiting hackers for the government. CyberScoop
— Las Vegas said it dodged a horrible cyberattack. ZDNet
— Herb Lin contemplated the intersection of cyber and psychological operations. Lawfare
— Malwarebytes said it found unremovable malware preinstalled on low-end smartphones sold to low-income Americans. ZDnet
— “Industry working groups tasked with implementing the Pentagon’s landmark cybersecurity certification program have selected the University of Virginia’s Ty Schieber as board chairman, to lead the process for selecting a board of directors for an accreditation body that is expected to be up and running later this month.” Inside Cybersecurity
— The PCI Security Standards Council and U.S. Chamber of Commerce blogged about Magecart.
— Rockwell Automation is buying Israeli cybersecurity company Avnet Data Security. Security Week
Source: National Cyber Security – Produced By Gregory Evans Posted by Jan Keller, Technical Program Manager, Security At Google, we strive to make the internet safer and that includes recognizing and rewarding security improvements that are vital to the health of the entire web. In 2020, we are building on this commitment by launching a […]
View full post on AmIHackerProof.com
The U.S. Department of Defense is aiming to secure its supply chain with the cybersecurity maturity model certification, or CMMC program, which will vet potential third-party contractors.
Ellen Lord, the undersecretary of defense for acquisition and sustainment, said at a news conference at the Pentagon that the CMCC program “will measure technical capabilities and process maturity” for organizations in the running for new defense contracts.
Although the full details of the CMMC program won’t be made public until January, Lord described it as a five-tier framework in which each level of certification is specifically designed based on how critical the work of the contractor would be. The CMMC program is scheduled to be fully implemented by June 2020.
Dan Fallon, senior director of public sector systems engineers at Nutanix, said programs like CMMC that “create or enhance standard practices and responsibilities around cybersecurity are essential to improving security posture.”
“It is great to see the DOD engaged in a strategic, comprehensive and measured approach to ensuring the security of the products and vendors with whom they work,” Fallon told SearchSecurity. “Furthermore, the Department’s concerted effort in sourcing input from the private sector in developing these standards is a strong indication of its understanding that even with additional cybersecurity policy, overall security will always remain a shared responsibility between vendors and government agencies. After all, there is no one silver bullet to make an agency invulnerable to attack.”
Theresa Payton, president and CEO of Fortalice Solutions and former White House CIO, said the CMMC program “is a good next step to improve supply chain security for the DOD through its contractors and sub-contractors.”
“In the wake of data breaches where the weakest link was a contractor, these are important next steps,” Payton told SearchSecurity via email. She added that if she “were to prioritize security elements for every contractor and subcontractor to meet it would be: 1. ensure that all data in rest and in transit and at points of consumption are encrypted; 2. have a regular review process of user access controls and authorizations to include third party applications and system to system interactions that are tested; 3. create kill switches that can be flipped if there is a suspected intrusion; 4. ongoing training and awareness.”
Dr. Chase Cunningham, principal analyst serving security and risk professionals for Forrester Research, said the requirements should focus on “using virtual infrastructure to manage the connections those persons have into a system, and really solid analytics.”
“They already do basically everything anyone can to vet a singular user, having been through that myself I can tell you it is rough, but ultimately once a person is in a network it’s on [the DOD],” Cunningham told SearchSecurity. “If they don’t monitor [contractors] and have really segmented infrastructure, things go bad quick. Combine well-built zero-trust infrastructures with good behavioral monitoring and analytics and you can fix this problem.”
The full details of the CMMC program requirements won’t be known until next month, but Lord did promise the expectations, measurements and metrics used will be “crystal clear,” and audits of potential contractors will be done by a third party that should be chosen by next month as well.
Additionally, Lord said at the Ronald Reagan National Defense Forum in Simi Valley, Calif. earlier this week that the DOD expects the weakest links in the supply chain to be the lower tier, smaller companies who may not be able to afford to meet the requirements. As such, the DoD is planning ways to ensure smaller contactors can meet a basic level of cybersecurity via “broader certifications” that will be detailed more in the next three months.
Payton said she was “encouraged to see that the DOD specifically noted that it will help smaller contractors to meet requirements.”
“This will encourage many to embark on this endeavor,” Payton said. “A rising tide lifts all boats so if the DOD would extend free software, tools, and tips and techniques to their supply chain they will naturally lift the security of the DOD ecosystem.”
Cunningham disagreed and said if the CMMC program requirements are clear and “your company wants to win the bid, meet the line items.”
“It will still be on the contractor to make things work. When the government is paying the bill, why should they push more help on those companies that want the work and the revenue?” Cunningham asked. “The government honestly shouldn’t be helping too much.”
Government contractor risks
The history of cybersecurity risks and third-party contractors can be traced back years. The most famous example was whistleblower Edward Snowden, a contractor for Booz Allen Hamilton, who stole and leaked information about NSA phone metadata tracking practices in 2013.
In 2015, a breach of the Office of Personnel Management affected millions and the ensuing investigation found that the threat actors gained access to systems in part by using credentials stolen from government contractors.
The DOD had two issues in 2017 linked to contractors. In August, an AWS S3 bucket containing unclassified data from the DOD was discovered to be publicly accessible due to misconfiguration by Booz Allen Hamilton. In November, another S3 bucket containing DOD data, this one built by contractor VendorX, was discovered to be exposed.
Payton said there’s a simple reason why these past issues didn’t lead to faster action by the government.
“There is a fundamental disconnect between the rate at which technology evolves and the rate at which bureaucracy reacts. What we’re dealing with here is a failure of systems,” Payton said. “It’s never too late to learn from past mistakes, but ultimately, we need real-time solutions not just to today’s obstacles and threats but to tomorrow’s as well.”
Cunningham said, “This type of requirement should have been in place years ago.”
“The government runs into this as they are lobbied by those big consulting firms that push back on anything they do that could impact their businesses,” Cunningham said. “Obviously having a new set of standards for thousands, or tens of thousands of cleared workers is a problem they didn’t want to deal with.”
Source: National Cyber Security – Produced By Gregory Evans DETROIT – Michigan’s IT professionals already know about the crucial shortage of properly trained and educated Cybersecurity professionals. In fact, you can’t open a newspaper, or a browser, without seeing an article publicizing the critical shortfall of Cybersecurity workers. Worse, the gap shows no sign of […]
View full post on AmIHackerProof.com
The Homeland Security Department on Wednesday released a draft of a binding operational directive that would require every federal agency to create a vulnerability disclosure policy.
Under the measure, each civilian agency would need to create a formal process for security researchers to share vulnerabilities they uncover within the organization’s public-facing websites and other IT infrastructure. Agencies must also develop a system for reporting and closing the security gaps that are uncovered through the program.
Despite the growing popularity of public cyber initiatives like bug bounties, security researchers often find themselves in a legal gray area when reporting cyber weaknesses to the government. By creating vulnerability disclosure policies, agencies can set clear guardrails on legal hacking.
“A [vulnerability disclosure policy] allows people who have ‘seen something’ to ‘say something’ to those who can fix it,” Jeanette Manfra, assistant director for cybersecurity within the Cybersecurity and Infrastructure Security Agency, said in a blog post. “It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems.”
The BOD would bring the rest of the government up to speed with the Pentagon and the General Services Administration’s tech office, which have already established vulnerability disclosure programs. DHS is also in the process of finalizing its own policy.
CISA will accept public feedback on the proposed directive through Dec. 27.
Specifically, the measure would give agencies six months to create a web-based system for receiving “unsolicited” warnings about potential vulnerabilities. They must also develop and publish a vulnerability disclosure policy, outlining the systems and hacking methods that are authorized under the program and describing the process for submitting vulnerabilities.
The directive would require agencies to consistently add new systems to the program over time. Within two years, “all internet-accessible systems and services” must be in scope of the policy, according to the measure. Every system launched after the directive is issued must automatically be considered in scope.
Agencies would also need to set procedures for handling submissions and report both specific vulnerabilities and program metrics directly to CISA.
While the directive gives agencies some latitude in the metrics and policies around their own policies, the measure could ultimately lay the foundation for a standardized, government-wide vulnerability disclosure program, Manfra said.
“We think a single, universal vulnerability disclosure policy for the executive branch is a good goal … but we expect that goal to be an unrealistic starting place for most agencies,” she said. “The directive supports a phased approach to widening scope, allowing each enterprise–comprised of the humans and their organizational tools, norms, and culture–to level up incrementally.”
Singapore’s Government Technology Agency (GovTech) has launched a new vulnerability disclosure program on HackerOne so researchers can disclose vulnerabilities in government sites.
Started by Singapore’s GovTech, this program allows researchers to examine internet-accessible government sites and applications for vulnerabilities and disclose them to the agency.
“As part of the Government Technology Agency’s (“GovTech”) ongoing efforts to ensure the cyber-security of Government internet-accessible applications used by the citizens, business and public sector employees, GovTech has established this suspected vulnerability disclosure programme (“VDP”) to encourage the responsible reporting of suspected vulnerabilities or weaknesses in IT services, systems, resources and/or processes which may potentially affect Government internet-accessible applications. We look forward to working with the cyber-security research community and members of the public to keep our services safe for all users.”
Rresearchers who want to participate in the Singapore vulnerability disclosure program can target the following services for vulnerability research:
Government internet-accessible applications for use by the public including Government internet-accessible applications, that are owned by any department or ministry of the Government, any Organ of State or any statutory board. Examples of such Government digital services are “gov.sg” and “ns.sg”, and examples of such mobile applications are “SingPass Mobile” and “SGSecure”.
Government internet-accessible applications for use by Government employees only, that are provided by any department or ministry of the Government, any Organ of State, or any statutory board. Examples of such web-based and mobile applications are “pacgov.agd.gov.sg”, and “DWP Mobile”.
Unlike many popular bounty programs on HackerOne, researchers will not be rewarded with cash bounties for disclosing vulnerabilities. This decision may lead researchers to stay away from this program compared to using others that they can earn a living.
Singapore bug bounty challenge started over the weekend
Unlike the new vulnerability disclosure programs, HackerOne launched a bug bounty challenge for Singapore’s Ministry of Defense over the weekend that does offer cash rewards for discovered vulnerabilities.
This challenge started on July 28th 2019 and will go through October 21st, 2019.
“The three-week challenge will run from September 30, 2019 to October 21, 2019, and will bring together trusted hackers from around the world to test 11 government-owned targets, including websites and public digital systems belonging to MINDEF/Singapore Armed Forces (SAF) and other agencies in the defense sector. Hackers will search these systems for security weaknesses so they can be safely resolved and therefore, enhance the safety and security of these systems. This year’s bug bounty challenge also has an added focus on personal data protection.”
This challenge is only open to invited trusted researchers who will attempt to find bugs in eleven government-owned targets.
As the circumstances surrounding WannaCry, Petya/Goldeneye, the Shadow Brokers and exposed voters’ records have shown, cybersecurity events continue to cripple companies no matter their size or industry.
Although cybersecurity is both broad and complex, some best practices can help prevent hackers from successfully infiltrating your customers’ operations. A mature cybersecurity program relies on a layered security approach — meaning that no single control is the only source of protection for a corporate asset. Three controls that make up a layered security approach are secure password practices, multi-factor authentication and security awareness training.
Secure password practices
For many people, it’s difficult to remember unique, complexpasswords for every website— a complication that leads to password reuse. Unfortunately, cyber criminals recognize this as a normal occurrence. When your credentials are compromised on one site, they will take that username and password and try it other places, with success.
As a solution, use a password manager tool. These services ask you to remember one master password and, through a browser extension, will automatically log you in to all of the websites you visit using a longer, more complex password that you don’t need to know. What’s the advantage? If a company, such as your bank, is compromised, the stolen password only allows access to your bank and nowhere else.
Steps to multi-factor authentication
Multi-factor (or two-factor) authentication (MFA or 2FA) is more straightforward than how it may initially seem. MFA is a combination of two of these three factors:
Something you know:a piece of information that you have memorized, such as a password.
Something you have:Historically, this wasa physical token that displays a 6-digit number, which changed every 30 seconds. Today, this method uses app on a user’s smartphone. In either case, it is not necessary for the owner to memorize the multi-digit code, provided that they have the device or app with them when logging in.
Something you are:biometrics, such as a smartphone’s built-in fingerprint reader.
Something you are:biometrics, such as a smartphone’s built-in fingerprint reader.
When MFA is used, it becomes much more difficult for an attacker to gain unauthorized access to an account. Not only would he or she need to steal your password, but the criminal would also need to physically steal, or hack into, your token device or biometric data, both of which are far more difficult tasks. An additional best practice is to use MFA on all remote connectivity, and for any activity requiring administrator-level access.
Creating security awareness
Your customers can be their companies’ strongest security assets or weakest links. Employees who click on malicious links and open attachments can easily bypass other cyber protections. Phishing attacks, situations in which an employee receives a legitimate-appearing, but actually malicious email, are one of the top causes of data breaches.
Ten years ago,phishing attackscame from a “Nigerian prince” and were easy to identify. These days, attacks are much more sophisticated and are timed with current events, such as business transactions or the April 15 tax day. Attackers also will take time to create “spear phishing” attacks, in which a specific person or company is targeted. Spear phishing uses information froma user’s LinkedIn page or other social media accountsto appear plausible.
Your customers should regularly conduct security awareness training for employees. Training should include regular communications on current security events and in-house phishing campaigns performed on a frequent basis. The in-house campaigns test employees with seemingly realistic phishing emails that, thankfully, are anything but.
Criminals will always be thinking of new ways to attack businesses and consumers, which forces businesses to constantly evolve their cybersecurity practices. It is only through constant vigilance that we can continue to protect ourselves in this ever-escalating environment.