Awareness & Training , CISO , Education

How Hearst's CISO Talks Security With the Board David Hahn Offers Tips for Making Tough Conversations Easier Jeremy Kirk (jeremy_kirk) • September 13, 2016    

Boards of directors these days have a clearer perspective of just how damaging an information security incident can be. If there is a positive lesson in the devastating attacks against Sony Pictures Entertainment in November 2014, it's that cyberattacks are embarrassing, expensive and difficult to recover from (see ISMG's Guide to the Sony Breach).

But while security experts have long advocated making cybersecurity a front-and-center topic as part of all business continuity discussions, having that conversation still isn't always as easy as it should be. For starters, information security is an arcane topic that can quickly go down the rabbit's hole, with graphs showing the number of vulnerabilities that have been patched in a given timeframe and presentations devolving into little more than exchanging thick compliance reports. Box-ticking or patching exercises do not guarantee that an organization is completely secure, but it's difficult for executives to wrap their heads around related technical minutiae, or its business implications.

See Also: Protecting Your Assets Across Applications, Services and Tiers

David Hahn, a vice president and CISO at Hearst Corporation, the broadcasting and print media company that own magazines such as Esquire, Elle and Cosmopolitan, has found approaches that do not cause board members' eyes to glaze over when he speaks. He shared some of his board communication tips during a Sept. 13 panel discussion at the Security Innovation Network conference in Sydney.

"I have to explain it in a story," Hahn says. "I have to explain to them what is going on, what is not going on. I don't go into a lot of complicated statistics, such as how many vulnerabilities do we have, how many breaches have we had, how many attacks have we had. It doesn't really make any sense to them."

A Campaign, Not a Battle

What the board wants to hear is how Hahn runs the information security program and how that work is reducing the company's risk profile. Boards want to see some numbers and hear of progress. But because it's a long-term, continual campaign, Hahn advises that it's a year-over-year program and no silver bullet. And that message is getting through, he says.

The No. 1 follow-up question Hahn hears is whether he has enough budget. But it's not exactly the right question, he contends. Organizations can spend as much as they want on technology, but it's not necessarily going to solve security problems because people and processes are huge components, he says.

"It's about getting education, awareness - all those pieces," Hahn says.

Hearst is pursuing a digital strategy, and with that, more risk is incurred, Hahn says. The Sony Pictures Entertainment attacks were a turning point for Hearst's board in recognizing the dangers. The payment card attacks against Target and Home Depot didn't resonate nearly as strongly, because those businesses are very different from Hearst's, Hahn says.

"Sony was a representation of disrupting your business at a level that no one had seen before," Hahn says. The Sony breaches brought on hard questions about how a company recovers after an attack, which is an immediate ROI issue. And companies in Hearst's line of work also have been hit. In April 2015, cyberattackers struck broadcaster TV5Monde, which took 12 of the French broadcaster's channels offline for 18 hours. The attack may have been conducted by ATP28, also known as Sofacy or Fancy Bear, a suspected Russia-based group.

"If our televisions go dark, we lose money immediately," Hahn says. "There's no ripple effect. You don't sit there and worry about the regulators. We're not making money."

One-on-Ones

Another successful approach: Hahn takes executives aside to have one-on-one conversations outside of the twice-yearly meetings. Board members often don't want to ask technical questions publicly for fear of embarrassing themselves, so Hahn says the personal chats can allow them to speak more freely, such as asking what an APT is.

"Most of the time they tend to ask me about the latest phishing email that they got," Hahn says. "You start with that. I tell them: 'Don't click on the link, but even if you do, I'm going to cover you either way.' You tend to start with the small things, but you want them to understand the overarching strategy. You want to tell them that this is an ongoing conversation. It doesn't end with one purchase or one installation because the risks continue to evolve as well."

Cybersecurity , Governance , Risk Management

Gauging the Effectiveness of Risk Management Initiatives Eric Chabrow (GovInfoSecurity) • September 16, 2016    

The National Institute of Standards and Technology has issued a draft of a self-assessment tool that's designed to help enterprises gauge the impact and effectiveness of their cybersecurity risk management initiatives.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

Known as the Baldrige Cybersecurity Excellence Builder, the self-assessment tool is based on the Baldrige Performance Excellence Program and the risk management mechanisms of NIST's cybersecurity framework. The Baldrige Performance Excellence Program, like the cybersecurity framework, is designed to help organizations worldwide guide their operations, improve performance and achieve sustainable results. NIST, a Commerce Department unit, administers the Baldrige program.

Commerce Deputy Secretary Bruce Andrews says organizations have been calling for a way to measure the effectiveness of the cybersecurity framework, and the Baldrige Cybersecurity Excellence Builder is designed, in part, to do that. "The builder will strengthen the already powerful cybersecurity framework so that organizations can better manage their cybersecurity risks," Andrews said in announcing the tool at an Internet Security Alliance conference.

Baldrige's Robert Fangmeyer explains how the self-assessment tool aligns cybersecurity with overall enterprise goals.

The builder tool is intended to help organizations ensure that their cybersecurity systems and processes support the enterprises' larger organizational activities and functions. "These decisions around cybersecurity are going to impact your organization and what it does and how it does it," says Robert Fangmeyer, director of the Baldrige Performance Excellence Program. "If your cybersecurity operations and approaches aren't integrated into your larger strategy, aren't integrated into your workforce development efforts, aren't integrated into the results of the things you track for your organization and overall performance, then they're not likely to be effective."

Builder's Adaptability

According to NIST, organizations can use the Baldrige Cybersecurity Excellence Builder to:

Identify cybersecurity-related activities that are critical to business strategy and the delivery of critical services; Prioritize investments in managing cybersecurity risk; Assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices; Evaluate their cybersecurity results; and Identify priorities for improvement.

The builder and framework are not one-size-fits-all tools; they can be adapted to meet an organization's specific needs. NIST says the builder guides users through a process that details their organization's distinctive characteristics and strategies tied to cybersecurity. A series of questions helps define the organization's approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them.

The tool's assessment rubric helps users determine whether their organization's cybersecurity maturity level is reactive, early, mature or a role model, according to NIST. The completed evaluation can lead to an action plan for upgrading cybersecurity practices and management and implementing those improvements. It also can measure the progress and effectiveness of the process. NIST recommends organizations use the builder periodically so they can maintain the highest level of cybersecurity readiness.

Genesis of Initiative

Fangmeyer says the genesis of the builder tool dates back a year ago when Tony Scott, the federal CIO, approached the Baldrige Performance Excellence Program to create a cybersecurity equivalent to the Malcolm Baldrige National Quality Award given annually by the Commerce Department. That award recognizes U.S. organizations that demonstrate performance excellence involving products, services and customer quality. Winning enterprises maintain a role-model organizational management system that ensures continuous improvement.

Instead of initially creating a cybersecurity award, however, the Baldrige Performance Excellence Program worked with the White House Office of Management and Budget, where Scott is based, and the NIST Information Technology Laboratory's Applied Cybersecurity Division to create the self-assessment tool.

NIST issued the builder as a draft and is seeking comments from stakeholders before it publishes a final version of the self-assessment tool. Fangmeyer say he hopes stakeholders will employ elements of the tool, not just read the 35-page draft, before submitting their comments on it. NIST will accept public comments on the draft until Dec. 15 via e-mail to This email address is being protected from spambots. You need JavaScript enabled to view it..

NIST produced a video to promote its cybersecurity framework.

Responding to an executive order issued by President Obama, NIST released in February 2014 the cybersecurity framework to help critical infrastructure operators manage cybersecurity risk. But many other types of organizations have adopted the framework, which provides a risk-based approach for cybersecurity through five core functions: identify, protect, detect, respond and recovery.

Citing research from IT adviser Gartner, NIST says 30 percent of U.S. organizations used the framework in 2015, and it expects that percentage to grow to 50 percent by 2020.

Anti-Malware , Application Security , Technology

Vulnerability Has Been Exploited Since at Least January 2014 Mathew J. Schwartz (euroinfosec) • September 14, 2016     Photo: Julien Gong (Flickr/CC)

For anyone who's using an unsupported version of a Microsoft operating system or browser - including Windows XP, Windows Server 2003 and Internet Explorer version 8 or earlier - please look away now.

See Also: Protecting Your Assets Across Applications, Services and Tiers

For everyone else, it's time to update Windows to patch a slew of serious flaws.

On Sept. 13, Microsoft issued 14 security updates as part of its latest round of monthly patches, of which seven fix "critical" security flaws that could be remotely exploited by attackers to take full control of a Windows system.

The critical updates fix flaws in IE versions 9 to 11 and the Edge browser, as well as Microsoft Office, Microsoft Graphics Component, Microsoft Exchange Server and VBScript Scripting Engine. Microsoft is also continuing its practice of shipping fixes for Adobe Flash Player, which has its own set of critical flaws that attackers could exploit to take complete control of a system by serving users malicious Flash content.

Needless to say, many of those same flaws exist in older, "unsupported" versions of Microsoft Windows and IE but will see no fixes. As a result, users of that software are at dramatically increased risk of seeing their systems get exploited via the flaws - some of which can be used to take control of a system without any user interaction - once attackers reverse-engineer Microsoft's code updates.

The Microsoft Graphics Component flaw, for example, could be used by attackers to remotely execute any code on a Windows 10 system, provided they can trick a user into visiting a malicious website or opening a malicious document.

Malvertising Firms Target Windows Users

Another one of the flaws being fixed is a zero-day vulnerability that's been exploited by attackers for more than two years. The flaw, CVE-2016-3351, exists in the IE and Edge browsers, and is being actively exploited by the malvertising groups known as AdGholas and GooNky.

French security researcher Kafeine, who works with security firm Proofpoint, says in a blog post that he helped alert Microsoft to the related flaw in 2015. But it wasn't until Proofpoint and Trend Micro again warned Microsoft about the flaw this year, he says, that the software giant committed to prepping a fix.

Kafeine says that recent research has found that the flaw has been exploited in the wild since at least January 2014 as part of a "massive ... malvertising operation," adding that it shows how "threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time."

The groups appear to have covered their tracks well, staying off security researchers' radar for more than two years despite serving malvertising to up to 5 million users per day. "Avoiding researchers and their virtual machines and sandboxes relied on exploiting an information disclosure zero-day in Microsoft Internet Explorer/Edge, among other techniques," Kafeine says. In addition, attackers employed "the first documented use of steganography in a drive-by malware campaign," as well as sophisticated filtering, to ensure that they only infected desired systems.

Steganography refers to the practice of hiding attack code in plain sight, for example inside an image file.

CVE-2016-3351 was exploited by AdGholas and GooNky Malvertising Groups https://t.co/dqK0vMjFsM cc @brooks_li @Jspchc pic.twitter.com/8IpCDmbCqA

Beware Vulnerable Detours

Microsoft's September security fix for Microsoft Office includes a patch for code-hooking flaws discovered by security firm enSilo.

The security firm says the flaws appear to have existed in Microsoft's commercial hooking engine Detours for nearly a decade. In recent months, enSilo said it notified numerous security vendors - including AVG, Avast, BitDefender, Citrix, Emsisoft, Webroot, Symantec, Kaspersky Lab and Trend Micro - about the vulnerability and that all of those vendors, at least, had patched their systems.

"'Hooking' techniques enable products to monitor and/ or change the behavior of operating system functions," says Udi Yavo, CTO of enSilo, noting that such capabilities are used to provide everything from virtualization and sandboxing to performance monitoring and anti-malware scans. But those same capabilities could be abused to "allow an attacker to easily bypass the operating system and third-party exploit mitigations" and exploit systems while remaining undetected.

Yavo warns that Detours is integrated into thousands of different products, including Microsoft Office, and that all of these products will have to be recompiled by developers, and users will have to install related updates. To help identify vulnerable applications, enSilo has released a free Captain-Hook, a.k.a. "FindADetour," tool via code-sharing site GitHub that can be used by security teams to test software and see if it includes a vulnerable version of Detours.

Fresh Flash Flaws

Also on Sept. 13, Adobe released a trio of security updates that fix flaws in Adobe Flash, AIR and Adobe Digital Editions, which is an e-book viewer.

Given the number of critical flaws in Flash that have been patched in recent years on a near-monthly - or more frequent - basis, computer users might be forgiven for thinking that there was nothing left to fix in the Flash code base.

But they'd be wrong.

In fact, security experts say that anyone who has not already installed the latest fix for Flash is a sitting duck. The related update, APSB16-29, "fixes a whopping 29 vulnerabilities" in versions of Flash that run on Windows, Mac OS X, Linux and ChromeOS, says Amol Sarwate, director of the Vulnerability Labs at security firm Qualys, in a blog post.

The Flash bugs - including integer overflow, memory corruption and use-after-free flaws - "could potentially allow an attacker to take control of the affected system," Adobe warns, for example, if attackers trick a browser user into viewing malicious Flash content.

"It's interesting to note that all issues found in the Flash advisory were found by third-party researchers," Sarwate says. "As Flash is targeted by many exploit kits, we recommend you patch immediately."

Alternately, uninstall Flash on the grounds that it's an attack magnet, and exploit toolkits regularly push updates to automatically exploit the latest Flash flaws, sometimes before users have updated their software.

Data Breach

Database Compromise Traced to Spear-Phishing Attack Jeremy Kirk (jeremy_kirk) • September 14, 2016     U.S. gymnast Simone Biles at Olympic Games Rio 2016. Photo: Agência Brasil Fotografias (Flickr/CC)

Confidential drug-testing results for four U.S. Olympic athletes have been released by a suspected Russian hacking group, one month after the World Anti-Doping Agency warned that one of its critical enforcement databases had been illegally accessed.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

On Sept. 13, WADA confirmed that Russian hackers known as Fancy Bear accessed the Anti-Doping Administration and Management System, which organizes drug testing schedules and is used by athletes to keep authorities up-to-date on their locations.

"WADA condemns these ongoing cyber attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system," says WADA Director General Olivier Niggli. "WADA has been informed by law enforcement authorities that these attacks are originating out of Russia."

In response to those allegations, a Kremlin spokesman denied that Russia was involved, speaking to Russian state-sponsored broadcaster RT, formerly known as Russia Today.

WADA says the leak greatly compromises "the effort by the global anti-doping community to re-establish trust in Russia," following WADA discovering that Russia has been running a state-sponsored doping program for its athletes.

Fancy Bears' Hack Team

A group calling itself Fancy Bears' Hack Team says the leaks are the start of what it's calling #OpOlympics.

Meanwhile, the attackers - who have referred to themselves as the "Fancy Bears' Hack Team," warned of more releases. "This is just the tip of the iceberg," the group said. "Today's sport is truly contaminated while the world is unaware of a large number of American doping athletes."

The leak adds to what's been an unprecedented run of high-profile leaks with seeming political intent that have come to light in the past three months, starting with the Democratic National Committee. That organization's internal emails, believed to have been compromised by Fancy Bear, were passed to WikiLeaks, causing a scandal within the Democratic Party and leading to the resignation of DNC chair Debbie Wasserman Schultz. Other Democratic Party organizations were also hacked, including Hillary Clinton's campaign team (see DNC Breach More Severe Than First Believed).

Some experts theorize that Russia is aggressively exerting its influence through low-budget but high-impact cyberattacks aimed at leaking sensitive internal information. Organizations have struggled to cope with attacks such as phishing, where users are tricked into revealing login credentials through cleverly crafted emails.

The U.S. government says it's continuing to investigate whether the Russian government is directly involved in the attacks. Several private security companies have linked Fancy Bear and another Russian group, Cozy Bear, to the DNC attacks. Many security firms suspect that Fancy Bear is linked with the GRU, a Russian intelligence agency (see Did Russia - or Russian-Built Malware - Hack the DNC?).

Politically speaking, it's no surprise that WADA would be a prime target. Prior to the Olympics in Rio, WADA recommended banning Russia's entire Olympic squad, although about two-thirds of its team was later cleared for competition. WADA's opinion came after revelations from Russian whistleblowers that the country ran an extensive, secretive doping program between 2011 and 2015, flouting international rules against using performance-enhancing drugs.

The WADA hackers set up an amusing website, www.fancybear.net, with animated bears and a background graphic meshing the headless suited symbol used by the hacktivist group Anonymous with the iconic Olympic rings. But while the site bombastically claims it has uncovered evidence of doping by U.S. athletes, it doesn't deliver.

The documents include confidential medical information for gymnast Simone Biles, the tennis duo Venus and Serena Williams, and Elena Delle Donne, who was on the U.S. women's Olympic basketball team. While the documents show the athletes tested positive for banned drugs, all had received what are known as "therapeutic use exemptions" for the medications, and those documents were included in the leak.

Travis T. Tygart, CEO of the U.S. Anti-Doping Agency, says the four athletes had adhered to global rules for clearing medication.

"It's unthinkable that in the Olympic movement, hackers would illegally obtain confidential medical information in an attempt to smear athletes to make it look as if they have done something wrong," he says.

The hacking group, however, dismissed the therapeutic use exemption documents. "The Rio Olympic medalists regularly used illicit strong drugs justified by certificates of approval for therapeutic use," it says. "In other words, they just got their licenses for doping."

Breached: ADAMS Database

The leak comes from the Anti-Doping Administration & Management System - or ADAMS database - which as of July 2014 contained profiles on more than 264,000 athletes and was actively used by 50,000 athletes worldwide.

Launched in mid-2005, the database was intended to simplify drug-testing coordination by allowing all agencies testing athletes to have access to a secure reporting system. Athletes must keep it up-to-date on their whereabouts so they can be available for testing. ADAMS also holds information on results, testing schedules and processes for hearings and appeals if an athlete tests positive.

On Aug. 13, WADA warned that the ADAMS password for Yuliya Stepanova had been obtained and her account was illegally accessed. Stepanova, a runner, participated in a German documentary broadcast in late 2014 that alleged systemic doping by Russia, which caused WADA to launch its investigation.

Other ADAMS users received suspicious emails that were designed to appear to have come from WADA, the organization said. The emails tried to convinced recipients to click on a link and then enter their account credentials, via a classic ruse known as spear phishing. It warned of two lookalike domain names, wada-awa.[org] and wada-arna.[org], and advised users to be cautious.

Attack Infrastructure Mirrored WADA

Shortly after WADA issued its warning, the computer security firm ThreatConnect published research on the domains. The company found that wada-awa.[org] used a name server provided by domain name registrar I.T. Itch. That same registrar was linked to suspicious domains that were used in the Democratic Party hacks and linked to other Fancy Bear attacks, ThreatConnect says.

WADA says it believes the latest leaks came via spear-phishing attacks that compromised an ADAMS account that was created for use by the International Olympic Committee at the Rio Games. That's because the exposed information only appears to pertain to the Rio Games. "At present, we have no reason to believe that other ADAMS data has been compromised," the agency says.

The ADAMS website is a public portal that requires users to log in using a username and password. But it's not clear if WADA has also implemented two-factor authentication, for example, requiring users to enter a time-sensitive passcode. Many web services, including Dropbox, Facebook and Twitter, have implemented that defense to help block account takeovers. But security experts say too few users employ these additional security features.