Pace and Volume of Regulatory Change are the Biggest Factors in Leading to Risk Evaluation Failures

Results of Bank Director’s 2014 Risk Practices Survey

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

It’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

• 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
• 63 percent said that a separate risk committee on the board oversaw risks.
• 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren't doing this.
• 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
• Of this 30 percent, less than half actually use it to supply limits to the board and management.
• The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren't getting fully used.
• And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
• 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
• 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
• 53 percent want more understanding of newer risks like cyber security issues.
• Senior execs want the board to have more training in overseeing the risk appetite and related issues.
• 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
• Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Aligning Security with GRC

How to Leverage GRC for Security?

Governance, Risk & Compliance (GRC) has long been viewed as a framework for tracking compliance requirements and developing business processes aligned with best practices and standards. It plays a strong role in helping security teams understand the business and to protect the organization from threats

But now, more security professionals are turning to data collected by GRC tools for insights into the organization's processes and technologies. The insights gained can help them to develop better controls to protect the organization from cyber-attacks and insider threats.

As part of GRC programs, organizations document processes, specify who owns which assets and define how various business operations align with technology. Security professionals can use this information to gain visibility into the organization's risks, such as determining what servers are running outdated software.

GRC programs collect a wealth of information and insights that can be valuable to security professionals as they manage risk and evaluate the organization's overall security posture. It provides the business context necessary to improve areas such as asset and patch management, incident response and assessing the impact of changes in technical controls on business processes.

Asset Inventory

Many compliance programs, including those for PCI-DSS [Payment Card Industry-Data Security Standard], require organizations to extensively document each asset and identify who uses it for what purpose. The documentation includes information about which business processes rely on which hardware and software. Mapping a piece of technology to a particular business function makes it possible to better identify the risks and the impact on operations if that technology is compromised.

The inventory process may identify equipment that the IT department was previously unaware of. By understanding the business processes that rely on that equipment, security teams can decide what kind of firewall rules to apply, better manage user accounts and learn what software needs to be updated. Understanding who the end-users are and how the asset is being used helps security teams assess how to prioritize the risks and plan how to reduce them.

Security professionals can use GRC programs to understand how technology maps to certain business processes and functions, says Mike Lloyd, CTO of Red Seal Networks, a network security management company. This information can help them figure out what the key threats are and identify ways to mitigate that risk, he says.

Incident Response, Controls

Security professionals can also use GRC to improve information sharing across the organization and streamline incident response. For example, because GRC makes it clear what kind of business processes depend on which assets, security teams have a clear path of who should be notified when there is a security event. Incident response teams can also look at all related processes and be able to identify other assets they should investigate to assess the magnitude of a breach.

Summary

Security professionals must understand the need to move away from a technical view of risk to a more strategic one when evaluating and deploying controls. They should evaluate how certain technical controls, while improving security, can impact business functions, and make necessary adjustments.

GRC enables security professionals to "draw a line between what security tasks are necessary and what business is concerned about.

DDoS Security Checklist

Help I am under DDoS!! What should I do?

DoS or Denial of Service is an attempt to make a machine or network resource unavailable to its intended users. When such a DoS is carried out by a large number of attack sources, it is called DDoS or Distributed Denial of Service.

Basic types are:

• Consumption of computational resources
• Disruption of configuration information
• Disruption of state information
• Disruption of physical network
• Disruption of the communication media between the victim and its intended users.

How can I prevent DDoS?

While it would be incorrect to say that DDoS attacks can be prevented, the impact can be mitigated and even thwarted if your IT infrastructure is sufficiently hardened, distributed and secured. We have listed some of the preventive steps below:

• Use rate-limiting in firewalls, routers, load balancers and other network perimeter devices.
• Enable TCP SYN cookie protection.
• Test your applications and deployment architecture for DoS vulnerabilities and fix them.
• Conduct regular configuration audits of your perimeter devices.
• Use updated software/firmware
• Use updated Anti-virus and regularly check for malware, bots on your systems. (This way you are less likely to contribute to DDoS on others).
• Use multiple ISPs or hosting providers for redundancy.
• Maintain a backup site for quick switchover.
• Install or configure network monitoring systems which can alert you as soon as any DDoS hits.
• Check with your ISPs or hosting providers how they handle DDoS and be aware of financial implications in case you are hit with a massive DDoS.

Dealing with a DDoS underway is incredibly difficult. The first step should be to try to understand the type and source of the attack. Understanding the attack type greatly helps in effectively dealing with the attack. Some of the things that you may consider are:

• Blackholing and sinkholing
• Enable rate-limiting in firewalls, routers, load balancers and other network perimeter devices.
• Obtain a new IP address or range from your ISP or hosting provider if the attacker is targeting an IP address or range. If you have multiple ISPs then try switching your primary ISP.
• Switch to something like Akamai, Cloudflare or Incapsula who have known expertise to handle DDoS.

What to do post the incident?

• Conduct a root cause analysis and ensure that no other malicious activity was done on your servers other than DDoS.
• If blackholing or sinkholing was done, restore the same.
• If the preventive measures listed above are missing, you may consider implementing some of them to be better prepared.

NIST Updates Malware & Patch Management Guideines

First Revisions to Both Publications in Eight Years

The National Institute of Standards and Technology has published new guidance on malware incident prevention and handling for desktops and laptops as well as enterprise patch management technologies.

NIST Special Publication 800-83 Revision 1, "Guide to Malware Incident Prevention and Handling for Desktops and Laptops," provides recommendations for improving an organization's malware incident prevention measures. The publication also gives extensive recommendations for enhancing an organization's existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts.

SP 800-40 Revision 3, "Guide to Enterprise Patch Management Technologies," provides an overview of enterprise patch management technologies. It also briefly discusses metrics for assessing the technologies' effectiveness. The publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. Patch management is the process of identifying, acquiring, installing and verifying patches for products and systems.

NIST also issued SP 800-165, "2012 Computer Security Division Annual Report," which highlights the activities of NIST's Computer Security Division during fiscal year 2012, which ended Sept. 30.

10 Principles To Guide Companies in Creating and Implementing Incident Response Plans

It's common that many companies have response plans but don't truly operationalize them!

With cyber criminals successfully targeting organizations of all sizes across all industry sectors, organizations need to be prepared to respond to the inevitable data breach.

A response should be guided by a response plan that aims to manage a cyber security incident in such a way as to limit damage, increase the confidence of external stakeholders, and reduce recovery time and costs.

Here are 10 principles to guide companies in creating and implementing incident-response plans:

1. Assign an executive to take on responsibility for the plan and for integrating incident-response efforts across business units and geographies.
   
2. Develop a taxonomy of risks, threats, and potential failure modes. Refresh them continually on the basis of changes in the threat environment.
   
3. Develop easily accessible quick-response guides for likely scenarios.
   
4. Establish processes for making major decisions, such as when to isolate compromised areas of the network.
   
5. Maintain relationships with key external stakeholders, such as law enforcement.
   
6. Maintain service-level agreements and relationships with external breach-remediation providers and experts.
   
7. Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
   
8. Ensure that all staff members understand their roles and responsibilities in the event of a cyber incident.
   
9. Identify the individuals who are critical to incident response and ensure redundancy.
   
10. Train, practice, and run simulated breaches to develop response "muscle memory." The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers' awareness and fine-tuning their response capabilities.

An effective incident response plan ultimately relies on executive sponsorship. Given the impact of recent breaches, we expect incident response to move higher on the executive agenda. Putting the development of a robust plan on the fast track is imperative for companies.

When a successful cyber attack occurs and the scale and impact of the breach comes to light, the first question customers, shareholders, and regulators will ask is, "What did this institution do to prepare?"

How You Can Get Hacked at Starbucks?

Be extra careful when using free public Wi-Fi

For those who frequently use the free public Wi-Fi in coffee shops such as Starbucks and Dunkin' Donuts, you're likely already aware of how easy it is for hackers to steal your personal and financial information over the shared network.

But what you may not realize is how cybercriminals could gain access to sensitive data in other ways that might not be on your radar.

According to ThreatMetrix, a provider of cybercrime prevention solutions, some hackers even leave malicious USB drives on tables for curious customers to plug into their devices. This allows them to retrieve personal information and even social network passwords. Although this may seem unlikely, ThreatMetrix says the scenario actually occurs.

Cybercriminals can also use video cameras on a mobile device to capture what you're doing nearby. This means if you are entering your credit card or email login information into a smartphone, you could be recorded doing so. Creepy, right?

More sophisticated techniques include network scanners, which detect open ports on a device connected to the network, and "hotspot honeypots" which intercept a user’s Internet connection and give full access to that network.

Here's a look at what to keep your eyes peeled for when cozying into a coffee shop near you. 

Industrial Control Systems (ICS) Security Awareness Poster

Control Systems Are A Target, Need Some Awareness?

One of the challenges we face in the Industrial Control System (ICS) community is awareness. People maintaining our critical infrastructure do not realize how fragile and targeted the supporting cyber systems are, including PLCs, Relays, RTUs and entire SCADA networks.

This poster was developed by a community team of industry ICS experts to help ICS Engineers and Operators understand just how much they are a target and why. As always, the first step to changing behaviors is engagement, and the first step to engagement is ensuring people know they are a target. 

Feel free to download, print and distribute this poster amongst your organization and peers. This poster is just the first in a series of resources and training to be released by the SANS new ICS group.

Download now a high-resolution version from our Security Awareness Posters section.

Can Enterprise rely on MDM to achieve Mobile Security?

mRAT spyware bypasses mobile enterprise controls

Mobile remote access Trojan (mRAT) infections are increasing and bypassing mobile enterprise security controls, putting businesses at risk of cyber espionage, research has revealed.

mRATs are capable of intercepting third-party applications such as WhatsApp, despite guarantees of encrypted communications, the study of 2 million smartphone users by Lacoon Mobile Security found.

The research also showed that mRATs are similarly able to bypass security controls in mobile device management (MDM) systems, which a growing number of businesses rely-on for mobile security.

mRATs are designed to carry out cyber espionage and typically enable eavesdropping on calls and meetings, extracting information from email and text messages and location tracking of executives.

The spyware requires a backdoor for installation, through the rooting of Google Android or the jailbreaking of Apple iOS devices.

The research found that mRATs can bypass rooting and jailbreaking detection mechanisms installed on handsets, with 52% of infected devices found running iOS and 35% running Android.

The attacks undermine the basic notion of a secure container on which most MDM systems are based, according to Lacoon Mobile Security.

MDM systems create secure containers that separate business and personal data on the mobile, in an attempt to prevent business-critical data from leaking.

However, the research team demonstrated that mRATs do not need to directly attack the encryption mechanism of the secure container, but can grab it at the point where the user pulls up the data to read it.

Mobile best practices and technologies include:

• Remotely analyse the risk involved with each device, including behavioural analysis of the downloaded applications;
• Calculate the risk associated with the device's operating system vulnerabilities and usage;
• Conduct event analysis to uncover new, emerging and targeted attacks by identifying anomalies in outbound communications to C&C servers;
• Enable network protection layer to block exploits and drive-by attacks and contain the device from accessing enterprise resources when the risk is high.

AusCERT - Cyber Crime and Security Survey Report 2012

Over half of respondents have increased their expenditure on IT security in the previous 12 months

The recently released Cyber Crime and Security Survey Report 2012 conducted by CERT Australia, in partnership with the Centre for Internet Safety at the University of Canberra, is readily available from CERT Australia’s public website – see www.cert.gov.au.

It is highly recommended reading for IT & Information Security professionals within Australia.

Some 450 businesses were approached to participate in the CERT Australia Cyber Crime and Security Survey, from which the report was developed. It is suggested that you share the report with your IT colleagues (and vice versa).

The report highlights cyber security issues and may be suitable for referencing as external source - providing justification for funding of IT/control system security initiatives.

The inaugural Survey was designed to obtain a better understanding of how cyber incidents are affecting the businesses that form part of Australia’s systems of national interest – the businesses that partner with CERT Australia.


The survey consisted of 24 questions, both closed and open ended, to ascertain:

• business description
• types of IT security used
• types of cyber security incidents experienced, and
• industry reporting of incidents.

The findings from the survey provide a picture of the current cyber security measures these businesses have in place; the recent cyber incidents they have experienced; and their reporting of them.

Refer here to download the report.

Incident Response: Gathering the Facts

Not Knowing Numbers Behind Event Makes Risk Assessment Hard

To know how best to respond to IT and communications failures, organizations first must collect information on such incidents. 

The European Network and Information Security Agency, as reflected in its report that focused on mobile- and land-based networks, is collecting information about incidents so European member nations can improve their response to such events.

Without the data and an analysis of the information, officials in government and industry can't determine the best way to respond. Report author states:

"We could go to any country and ask a politician if they know how many incidents there were in the banking sector and what their social impact was. They don't know the answer. And that is difficult to make policy and even to assess the risks of cybersecurity incidents without knowing the numbers behind it."

Among the major findings of the report:

• Hardware/software failure and third-party failure were the root causes for most outages;
  
• Incidents primarily caused by natural phenomena such as storms and floods lasted, on average, for 45 hours;
  
• A strong dependency exists on power supply of mobile and fixed communication services, noting that battery capacity of 3G base stations is limited to a few hours, and this means that lasting power cuts cause communication outages.

Please refer here to download the report.

What to Do About DDoS Attacks

Security Tips for the Banks

The distributed-denial-of-service attacks that have hit 10 U.S. banks in recent weeks highlight the need for new approaches to preventing and responding to online outages.

Attackers have broadened their toolkits, and DDoS is a not just a blunt instrument anymore. Banking institutions should: 

• Use appropriate technology, including cloud-based Web servers, which can handle overflow, when high volumes of Web traffic strike;

• Assess ongoing DDoS risks, such as through tests that mimic real-world attacks; Implement online outage mitigation and response strategies before attacks hit; 

• Train staff to recognize the signs of a DDoS attack.

In layman's term, during a DDoS attack, a website is flooded with "junk" traffic - a saturation of requests that overwhelm the site's servers, preventing them from being able to respond to legitimate traffic. In essence, DDoS attacks take websites down because the servers can't handle the traffic.

Most banks have failed to address this vulnerability to high volumes of traffic. Starting in mid-September, DDoS attacks have resulted in online outages at 10 major U.S. banks.

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters has taken credit for the hits, saying the attacks are motivated by outrage related to a YouTube movie trailer deemed offensive to Muslims. But security experts say DDoS attacks are often used as tools of distraction to mask fraud in the background.

To reduce their risk of DDoS takedown, banks need to address three key areas: 

1. Layered user authentication at login, which consumes bandwidth;
2. Reliance on Internet service providers not equipped to handle extreme bandwidth demands; and
3. The internal management of Web servers, which limits banks' ability to hand off traffic overflow when volumes are excessive.

Fraud should always be an institution's top concern, meaning addressing DDoS threats should be a priority. "DDoS protections have quickly become a new industry best practice. But DDoS attacks pose unique challenges for banks and credit unions.

The additional layers of security institutions already implement, such as enhanced user authentication, transaction verification and device identification, demand more bandwidth. So when a bank is hit by a DDoS attack, bandwidth is strained more than it would be at a non-banking e-commerce site.

Key Qualities of Good Leadership During Bad Times

How to be a good crisis manager?

This is a difficult question for a business continuity practitioner to ask because generally they will be asking it of a senior executive or even a CEO, who is unlikely to believe they are anything less than excellent.

There are some aspects to a crisis which differ from day-to-day management. Unlike managing commercial and operational challenges, in a crisis the route map to follow is often unclear and the consequences of failure much more serious.

A wrong decision can potentially damage the reputation of a company beyond repair. Who now remembers what a strong and influential company Arthur Anderson once appeared? It failed not because it had a bad business model, but because in one situation it failed to take control of the crisis that eventually engulfed it. However, just because you cannot predict the exact nature of a crisis doesn't mean you cannot prepare for it. 

Because it is usually so serious, top management often plays the leading role in dealing with external stakeholders, including the media. This is good in that it shows the organization is taking it seriously, but bad if that leader is ill-prepared.

A crisis is too urgent for a consensus debating style of leadership, but conversely the biggest danger can be over-confidence. Often top managers are dealing with circumstances in which they do not know the details of what plans or capabilities are available (or at least not the details), what the latest information is relating to cause and effect and what is actually happening "on the ground." 

The two crucial elements needed to make decisions are situational awareness and up-to-date information. It is too late to work out how you get the information when the crisis has happened, so a way of monitoring potential problems needs to be constantly running. Despite this, when the crisis erupts, managers can still fail if they are not perceived as being "on top of the situation."

Some ways in which they can show this level of leadership are:

• Always tell the truth based on the facts that are available.
• If you don't know answers to a question, explain why and when you might know.
• Always follow up on what you promise.
• Do not delay making decisions and taking action.
• If you delay taking action, you almost always make things worse and are seen to be drifting.
• Concentrate on protecting reputation, not necessarily minimizing short-term financial loss.
• Ensure proper processes and systems are in place so that situation changes can be constantly monitored and responses modified as appropriate.
• Communicate with all stakeholders, regularly and often.
• Make sure technical mechanisms are in place and the correct people are involved.
• Ensure that internal and external messages are consistent.
• Do not tell the media one thing and staff something different.

China Gets Serious about Grid Security

China announced its plans for a massive increase in smart grid security spending in an effort to contain risks that may arise from its aggressive smart grid expansion

What happened

Fears that it’s rapidly expanding electricity infrastructure may be vulnerable to security and cyber attacks prompted China to announce plans of staggering increase in smart grid security spending. Representing an annual compound growth rate (CAGR) of almost 45%, grid defense spend will grow from US$1.8b in 2011 to US$ 50b by 2020.

Background

A new report by the business analysts at GlobalData described China’s smart grid security situation as an anomaly due to the scale of expenditure when compared with that of other regions. For example, Europe and North America combined are predicted to spend a comparatively modest US$16b on cyber security during the same forecast period.

But to put things in perspective, the GlobalData research also offers the insightful observations on China’s grid security policy:

• China has a strained relationship with a number of nations in relation to cyber security.

• The United States, in particular, has on several occasions accused Chinese hackers of attempting to breach their power systems.

• China fears that these accusations may have fostered an environment of mistrust which may lead to retaliatory cyber-attacks on their own power infrastructure.

• China continues to experience rapid urbanization and expanding its smart grid, which directly results in increased exposure to cyber attacks.

And let us not forget the Stuxnet computer worm discovered in 2010. The Stuxnet example is arguably the most dramatic demonstration of the vulnerability of modern power grids to malicious cyber-attack.

According to Global Data, “the worm focused on 5 Iran-based organizations and was believed by many to be a deliberate attempt to disrupt the Iranian nuclear power program.”

Serious threats to securing the grid

A Pike Research 4Q 2011 report, entitled Utility Cyber Security: Trends to watch in 2012 and Beyond, identified the following threats to power grids everywhere:  

• One size doesn’t fit all: cyber security investments will be shaped by regional deployments. As an example, consider smart meters saturation in the US and, comparatively, versus EV adoption rates in the Middle East.

• Industrial control systems, not smart meters, will be the primary cyber security focus. Here, they refer to control systems such as transmission upgrades, substation automation, and distribution automation.

• Assume nothing: “security by obscurity” will no longer be acceptable. Using the example of the Stuxnet worm, assume attacks are a probability and not merely a possibility.

• Chaos ahead?: The lack of security standards will hinder action. No industry standards exist.

• Aging infrastructure: older devices will continue to pose challenges. While modern advanced metering infrastructure (AMI) devises have built in cyber security, some supervisory control and data acquisition (SCADA) systems are older and have no built-in security features.

• System implementation will be more important than component security. Cyber security works to protect a whole entity and attackers look for holes.

It's your responsibility to protect your data on Facebook!

Marketers are Dying for Your Facebook Data

...and Facebook wants to help them get it. In fact, the social network giant -- now under pressure from stockholders to produce revenue -- has developed new functionality designed to help advertisers better find you on Facebook.

So long as you have voluntarily given your phone number or email address to a company, that company can now use it as a means for searching and locating you on Facebook.

Be sure to check and update your settings on Facebook (and other social sites), as new functionality is added frequently, threatening your assumption of privacy online. Speaking of Facebook, be sure you are aware of another change that could result in having your emails sent to Facebook.

In June, Facebook changed everyone's email address visibility settings to hide the email addresses we purposefully shared with friends, leaving just @facebook.com addresses.

For folks who did not change this back, and for folks using the new iPhones, running iOS 6, this could result in having the preferred email addresses being replaced by @facebook.com addresses...and having sensitive information saved to the Facebook systems (a far-from-secure system to keep email messages). 

See more about it here.

Facebook applications are not always safe!

Apps Dressing Up as Innocent Fun

Many people mistakenly believe that any application found on Facebook has been vetted by Facebook, and is therefore safe. False.

As this article on Facecrooks points out, anyone can create an app for publication on Facebook. Facebook users are also guilty of clicking through the permission screen, potentially missing key information on how the application's developers plan to access their Facebook information (for those that actually provide such information).

Take the time to read these screens thoroughly before clicking OK. If an app does not provide information about how they will use your information, then don't download; it's just not worth the potential problems, no matter how yummy fun the app sounds.

How much you care about your privacy?

Apps Come Back to Haunt You

Can you count your apps on one hand? Two? As smartphones have found their way into more pockets and purses, the tendency to become "app happy" has struck more than one consumer.

Often folks will download an app, input their personal information, allow it to track and store their locations, purchase behaviors -- heck, even account numbers -- and then forget all about it. Meanwhile, the application is running in the background gathering (and potentially sharing with third parties) the private and personal details of their lives.

Have you set an app to auto-broadcast your location to a social network? Here's hoping you remember that before you arrive at the amusement park on a "sick day." Does that pizza place auto-fill your credit card number when you order a pie online? That's one lucky thief who gets a hold of your smartphone. Make it a practice to review your apps often.

A good time to do this is now; delete the ones you are not using. A friend of mine was surprised to find she had accumulated over 200! Then, check again whenever you have an app ask you to download an update.

As those notices come in, don't just ask yourself if you'd like to update (which is an important step, as many apps improve their security and privacy standards with these updates); also ask yourself if that's truly an app you need to have on your smartphone, laptop or any other type of computing device you use.

The Bible of Risk Assessment

NIST Issues Risk Assessments Guidance

Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk. Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other organizations in and out of government.

The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other.

Continuous Monitoring

Special Publication 800-30 also provides guidance to organizations on identifying specific risk factors to monitor systems continuously so that they can determine whether risks have increased to unacceptable levels, such as exceeding organizational risk tolerance. And it offers insights on different courses of action that should be taken.

Information technology risks include risk to the organization's operations, such as mission and reputation, as well as its critical assets, including data and physical property as well as individuals who are part of or served by the organization.

Can't Protect Everything

The new publication focuses exclusively on risk assessment, the second step in the information security risk management process. The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations.

It also addresses the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.

With the insurance of the revised SP 800-30, the original series of five key computer security documents (including SP 800-39) envisioned by the Joint Task Force to create a unified information security framework for the federal government is completed. The Joint Task Force is a partnership of NIST, the Department of Defense, the Office of the Director of National Intelligence and the Committee on National Security Systems.

Breach Preparation: 4 Key Steps

Tips to Develop Breach Plan

You have one shot to get it right. How should organizations prepare properly for a data breach?

Too often, organizations that go to the effort of creating a breach response plan - but then they fail to actually test it. That is as if you have a fire evacuation plan, but you don't actually execute the drill to make sure the people get out of the building.

To prepare properly for a breach, organizations should:

Select an Individual to Lead the Charge:

Pick that right individual that has enough knowledge of the company and an overview of the importance of the personal identity information that needs to be protected.

Conduct an Audit of All Subcontractors:

So many breaches today occur at third-party service providers. Organizations, then, should ask their key vendors about their own data breach response plans, as well as how big of a priority it is to protect the data they're handling. It's also important to have a formalized agreement of the vendors' breach plans and that they practice it.

Involve the Right Departments:

Privacy, public relations, customer service and information security departments all need to be involved in breach planning. Outside professionals, such as legal and law enforcement, should also be included in the preparation process.

Complete a Yearly Breach Drill:

The ones that actually practice it and have seen some of the hitches that go on, when they've actually experienced a real breach they've done much better in responding more quickly, satisfying the regulators, minimizing the cost and protecting brand reputation.

11 Ways Enterprises Can Battle Malware

NIST guidelines will help you keep pace with changing Malicious Code Threat

As malicious code rapidly evolves, the National Institute of Standards and Technology is updating its guidance to reflect changes in the threat malware presents organizations.

NISTG says is the just-published draft of Special Publication 800-83 Revision 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

"Unlike most malware threats several years ago, which tended to be fast-spreading and easy to notice, many of today's malware threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to exfiltration of sensitive data and other negative impacts.

NIST, in announcing the draft revision, points out that protecting desktops and laptops remains critical even as many government agencies and companies focus on mobile security.

The guidance provides information on the major categories of malware that afflict desktop and laptop computers and furnishes practical procedures on how to prevent malware incidents and what to do when a system becomes infected.

To battle malware, the NIST guidance suggests organizations should:

1. Develop and implement an approach to malware incident prevention.
   
2. Plan and implement an approach to malware incident prevention based on the attack vectors that are most likely to be used now and in the near future.
   
3. Ensure that their policies address prevention of malware incidents.
   
4. Incorporate malware incident prevention and handling into their awareness programs.
   
5. Implement awareness programs that include guidance to users on malware incident prevention.
   
6. Maintain vulnerability mitigation capabilities to help prevent malware incidents.
   
7. Document policy, processes and procedures to mitigate vulnerabilities that malware might exploit.
   
8. Apply threat mitigation capabilities to assist in containing malware incidents.
   
9. Perform threat mitigation to detect and stop malware before it can affect its targets.
   
10. Consider using defensive architecture methods to reduce the impact of malware incidents.
    
11. Sustain a robust incident response process capability that addresses malware incident handling.

NIST is seeking comments from stakeholders on the draft. Comments can be sent to 800-83comments@nist.gov by Aug. 31. A final revision is expected to be published by late summer.

6 Steps to Handle IT Security Incidents

New Guide from the National Institute of Standards and Technology

The National Institute of Standards and Technology has issued a revision of its guidance to help organizations establish programs to manage computer security incidents.

NIST, in Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide, spells out what incident-response capabilities are necessary to rapidly detect incidents, minimize loss and destruction, mitigate weaknesses that were exploited and restore IT services.

Revision 2 updates the original guidance to reflect changes in attacks and incidents. "Understanding threats and identifying modern attacks in their early stages is key to preventing subsequent compromises, and proactively sharing information among organizations regarding the signs of these attacks is an increasingly effective way to identify them," NIST says in the introduction to the guide.

"This revised version encourages incident teams to think of the attack in three ways," says guide co-author Tim Grance. "One is by method - what's happening and what needs to be fixed. Another is to consider an attack's impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident. Finally, share information and coordination methods to help your team and others handle major incidents."

The Recommendations

The guide advises organizations to:

1. Reduce the frequency of incidents by effectively securing networks, systems and applications.
2. Document their guidelines for interactions with other organizations regarding incidents. Because these communications often need to occur quickly, organizations should predetermine communication guidelines so that only the appropriate information is shared with the right parties.
3. Be generally prepared to handle any incident but should focus on being prepared to handle incidents that use the most common attack vectors. Incidents can occur in countless ways, so it's not feasible to develop step-by-step instructions for handling every incident.
4. Emphasize the importance of incident detection and analysis throughout the organization. Millions of possible signs of incidents may occur each day so automation is needed to perform an initial analysis of the data and select events of interest for review.
5. Create written guidelines for prioritizing incidents. Incidents should be prioritized based on relevant factors, such as the functional impact of the incident (e.g., current and likely future negative impact to business functions), the information impact of the incident (e.g., effect on the confidentiality, integrity and availability of the organization's information) and the recoverability from the incident (e.g., the time and types of resources that must be spent on recovering from the incident).
6. Use the lessons learned process to gain value from incidents. After a major incident has been handled, the organization should hold a lessons-learned meeting to review the effectiveness of the incident handling process and identify necessary improvements to existing security controls and practices. 

NIST says the guidelines can be followed independently of particular hardware platforms, operating systems, protocols or applications organizations use.