13 May

Wannacry Ransomware & Mitigation Steps

A major cyberattack took place this past week. The attack impacted organizations in over 100 counties including the British National Health Service, FedEx, Spanish telecom company, Telefónica, and multiple universities in Asia.

The culprit is the Wannacry ransomware worm. The worm is most commonly introduced through infected email. When the user clicks on the infected attachment, the malware starts running and propagates across the system.

The malware leverages a leaked exploit developed by the NSA, which takes advantage of a vulnerability in Microsoft Windows environments called Eternalblue, which is a remote code execution vulnerability that takes place over SMB.

Microsoft patched the vulnerability over a month ago; however, organizations behind on patch management will continue to be exposed to the risk of this malware and others leveraging the Eternalblue vulnerability.

Potential Mitigation Steps:

  • Patch Management: Implement an emergency patch program and ensure that all Windows systems are receiving security patches from Microsoft and other vendors on a frequent basis. The patch relevant to fixing the Eternalblue vulnerability is MS17-010
  • Host Based Firewalls: Consider applying firewall rules at the host level (i.e. Windows firewall) which prevent unnecessary system to system communication (making it more difficult for Worms to propagate).
  • Network Segmentation: Properly segment networks and apply routing and firewall rules which create security zones within your network, limiting the attack surface of malware to only the network segment in which the malware was introduced.
  • Use Supported Operating Systems: Ensure all operating systems currently being ran by the organization are receiving ongoing security patches from the vendor (e.g. Windows XP and Server 2003 are no longer supported or receiving security updates.)
  • Properly Manage Backups: Verify that backups are not stored within network attached directories that might be susceptible to being infected by a Worm (and end up being encrypted as part of the ransomware attack).

Please read more about the attack and resolution plans here:

You can track the spread of this attack here:

22 Feb

How a Better IT Risk Assessment May Change Your Thoughts on the Traditional Gap Analysis

Does your company perform a risk assessment? If you said yes, what did you mean by “risk assessment”?

I ask because often when people say “risk assessment” they are thinking “gap analysis”. As an IT auditor sometimes our instinct is to select our favorite security framework (probably ISO 27001 or NIST 800-53) and begin identifying gaps in the control environment.

Even when we have “great” audit findings, often we don’t have the context to make meaningful recommendations in a business context. That’s because we need to re-think the definition of risk assessment. (For further reading, Norman Marks provides a great Internal Audit perspective and the Department of Health and Human Services discusses risk analysis in detail as related to HIPAA.)

When is the last time you suggested a $1,000,000 solution for a $100 problem? 

A better risk assessment process begins with context and starts several steps before the gap analysis begins. A well designed risk assessment should drive what level of control is appropriate based on quantified risk and the Company’s risk tolerance. This also gives auditors the tools to make better recommendations.

Here are three things you may want to consider as part of your risk assessment tool belt:

First, consider the context. Are there known external threats or internal vulnerabilities specific to your organization? Are there important corporate initiative that drive business success? Do these factors impact some systems or business units differently than others? How do these facts impact the Company’s risk tolerance and the level of controls required to reduce risk to an acceptable level?

Second, consider the business side of the equation (often called people, processes, and technology). Are there business functions that impact the Company’s ability to earn revenue or that drive profits? How are these business processes supported by technology? What is the appropriate level of control for these systems and processes? Which systems merit a more thorough assessment than others?

Third, inventory your digital assets. What are your “crown jewels” and where do they live (in which applications). For example, where does your Company store mission critical data, where is private employee and customer data? This information will help an assessor make a more accurate judgement when recommending the depth of controls necessary secure a system.

As IT auditors and risk management professionals we should re-think what we call a “risk assessment” and how appropriate consideration of risk will drive future audits and gap analysis.

If you want more information on risk management and risk assessment you may consider reading ISO 27005 or NIST 800-30.

For more information from the risk3sixty team on how to assess, quantify, and visualize IT related risk contact us.

14 Feb

Developing an IT Audit & Security Plan for Microsoft Office 365

Our team was recently tasked with developing an audit plan for Microsoft Office 365. While there are plenty of tools available to assist organizations with performing ongoing audits of user privileges and object permissions in Microsoft Office 365, we were hard pressed to find any solid thought leadership on auditing Office 365 beyond user and object permissions.

It almost appears that because Office 365 is a cloud solution, many organization assume much of the risk surrounding the platform is transferred to Microsoft. After digging into the product with a few of our clients and assessing how the product integrates into their business operations, our risk assessment identified a few areas of concern where the Internal IT Audit department can add great value to the organization.

Identifying Control Objectives for an Office 365 Internal IT Audit Plan

Control Objective 1:

In regards to Office 365 and the business needs it addresses in the organization, what is the first thing we should care about?  For starters,

  • We care that the platform was set up correctly in the first place!
  • We care that are not going to/did not lose any data during the migration process.
  • We care that data was not corrupted, lost or stolen during the migration (integrity and confidentiality).
  • We care that proper oversight was given to the entire process.
  • We care that people are properly trained and aware of any changes to security or operating procedures in relation to the new system.

This resulted in our first Control Objective sounding something like the following:

CO1: The Office 365 Migration was appropriately planned, managed, and controlled to ensure data integrity, data confidentiality, and availability of services.

Control Objective 2:

Now that we have thought through risks surrounding the implementation of Office 365, what do we care about next? We think Logical Access is a logical next Control Objective.

In regards to Logical Access surrounding management of the system,

  • We care about the process of granting and approving users access and provisioning new users in O365.
  • We care about the process of making sure terminated user procedures remove user access in O365 in a timely fashion (did you know there is a sizable time lag between when you deactivate a user in on premises AD and when that update propagates to O365?).
  • We care about the automation processes and infrastructure in place to assure that the on-premises AD and Azure AD instances are properly syncing.
  • We care about the level of admin rights an Admin has in O365 (due to the varied nature of admin functions in O365, admin rights need to be properly delegated based on need).

Our second control objective reads like this:

CO2: Logical Access: Controls provide assurance that access to Office 365 resources are appropriate.

Control Objective 3:

Next, our risk assessment revealed that there are a lot of things that go wrong when running on-premises AD and Exchange Server in conjunction with Office 365. Misconfiguration of the sync tools can cause availability and licensing issues, poor management of user objects in the on-premises AD can find their way into the Azure AD instance and more.

Some of the things we care about include:

  • We care about proper user object attribution and following Microsoft best practices to ensure proper replication to Azure AD.
  • We care about the proper configuration of AD Federated Services.
  • We care about the proper configuration of Azure AD Connect/DirSync
  • We care about proper management of user objects in the on-premises AD to ensure proper replication to Azure AD.
  • We care about proper vaulting/remote journaling/retention of user data both during and after employment.

Our third Control Objective reads like this:

CO3: Controls provide assurance that Office 365 is properly configured to ensure appropriate and efficient management of Office 365 licenses, availability of data and continuation of service.

Control Objective 4:

Finally, we decided that we care a lot about assessing the implementation of any Office 365 security and confidentiality tools and making sure these are implemented in accordance with company policy, but also try to gain assurance the tools are operating effectively.

Some things we care about in this Control Objective include:

  • Assessment of company policy to identify company requirements for securing data and verify controls are in place to address the policy requirements.
  • Assessment of the configuration settings for Office 365 data security and encryption tools such as S/MIME, Office 365 Message Encryption, AD Rights Management Server and the built in Anti-Malware and Data Loss Prevention tools.

Our fourth Control Objective reads like this:

CO4: Data Encryption and Security controls provide assurance that data within Office 365 Exchange is controlled in accordance with the organization’s data classification policy.

Conclusion:

We have had a ton of positive reception while developing this program! As we continue to see more environments and learn more about Office 365 and the concerns on executive’s minds, we will continue to build out our program.

If your organization needs help assessing your Office 365 environment or you have some wisdom to share that might help us improve our program, please send us a message on our Contact Page or in the comments below.

06 Feb

Prominent Fortune 500 Technology Executive and Entrepreneur, Robin Bienfait, Joins risk3sixty LLC Advisory Board

Our team is very excited to announce that Robin Bienfait has joined the risk3sixty advisory board.

Background
Two years ago we had the pleasure of meeting Robin at Geogia Tech where she was giving a presentation on technology, innovation. and leadership. Since then we have exchanged many ideas about the future of entrepreneurship, technology, information security, and technology risk management. After dozens of great conversations it became clear to us that Robin’s experience as a technology/innovation executive and passion for helping entrepreneurs succeed would be invaluable to our team.

Going forward Robin will be working with our team to provide strategic direction as we further grow our information security, compliance, and technology risk management tools and services. She will also continue to challenge our executive team to run a great business where people want to come to work.

About Robin
Presently the Chief Executive Officer and Founder of Emnovate, Robin previously excelled in executive and c-suite-level positions for Samsung Electronics, BlackBerry and AT&T. Her roles have included Chief Enterprise Innovation Officer at Samsung Electronics, Chief Information Officer / Chief Technology Officer / Chief Information Security Officer for BlackBerry, and Chief Compliance Officer at AT&T.

Robin holds 15 patents and has served on the advisory boards of Cisco and Hewlett Packard. She is an active innovator and engineer with a master’s degree in technology management from Georgia Tech. Robin is also a partner with Valor Ventures, Georgia’s first women owned venture capital firm.

Read Robin’s full profile.

About risk3sixty
We are an Atlanta-based Technology Risk Management (TRM) firm focused on IT audit, risk, and compliance consulting and software solutions. Risk3sixty’s management-level consulting team leverages deep industry experience and unique technology solutions to enhanced risk visibility, reduce the burdens of compliance, and create actionable programs which enable executives and their management teams to make better decisions.

Read more about Our Company.

30 Jan

Symantec, Illegitimate Certificates & Why We Should Care

In 2015, Symantec was caught issuing improperly signed cryptographic certifications which could be used to break HTTPS and put internet users at risk. Some of the improperly issued certificates were issued to Google owned domains, which if used maliciously, could allow for impersonation of HTTPS protected Google websites.

Understandably, Google was very upset and responded by requiring Symantec to publicly log all certificates it issued for scrutiny by the security community, else Google threatened to retool its popular web browser, Google Chrome to flag all Symantec issued certificates as potentially unsafe. This would undoubtedly lead to many websites opting to drop Symantec for another Certificate Authority.

Nearly a year and a half since Symantec’s transgressions, it appears the popular Certificate Authority is at it once again, caught issuing 108 certificates in violation with strict industry guidelines for issuing cryptographic certificates.

Google Chrome's Certificate Error Alert

Google Chrome’s Certificate Error Alert

Understanding Why Any of This Matters

The internet was not designed with security in mind. Before the development of secure transmission protocols, all data was passed back and forth between websites unencrypted and easily deciphered by any third party able to intercept the data (similar in nature to wire taps on telephone lines).

To ensure both the confidentiality and integrity of data being passed back and forth between an end user and a website, encryption is necessary, but encrypting data passing from one party to another is not enough. There must also be a way to authenticate that the website you wish to create a secure connection with is who it says it is.  The need to authenticate the identity of websites to end users is a major reason why Certificate Authorities are so important.

A Quick Overview of How the Authentication Process Works

A certificate binds a public encryption key to an identity. At a minimum, the certificate offers Domain Validation, but some organizations may opt for further authentication of their identity on the web and obtain Organization Validation or even further, Extended Validation. (Read more about the differences between Cert types here.)

Domain Validation is quick and typically an automated process, but for an organization to obtain Organization Validation or Extended Validation, the Certificate Authority is expected to perform additional investigation into the organization requesting the Certificate, verifying identity with both the requester and independent third parties.  Once verified, the Certificate Authority issues a cryptographically signed certificate created using a secret cryptographic key which only the Certificate Authority should have access to (meaning it should be impossible for the certificate to be forged).

Organization VS Extended Validation Certificate Comparison

Organization VS Extended Validation Certificate Comparison

Intrinsic Trust of Certificate Authorities and the ‘Web of Trust’

Our computers and smartphones are preconfigured to trust any certificates issued by a long list of Certificate Authorities. Industry best practices dictate that any organization acting as an official Certificate Authority follow the WebTrust guidelines for Certificate Authorities, which include verification of the identity of therequester of a Certificate prior to the certificate’s issuance. This concept of intrinsic trust between end users and Certificate Authorities is referred to as the “Web of Trust” in cryptographic terms.

Intrinsically Trusted Certificates in Windows 10

Intrinsically Trusted Certificates in Windows 10

Symantec Broke the ‘Web of Trust ‘

When Symantec issued Organization Validated certificates which Google never authorized for Google owned websites, Symantec broke the Web of Trust. A malicious entity could leverage these certificates to create a forged malicious website that looks identical to a legit Google website, and our computers would never know the difference.

It will be interesting to see how the industry responds to the latest careless behavior by Symantec. It might be possible that Google and the other browser publishers respond by warning users anytime they visit a site with a certificate published by Symantec, which would definitely hurt the organization’s business.

Please leave any questions, comments or corrections you might have!

04 Jan

We Started a Business – Our IT Audit Blog is Still Going Strong

This update is long overdue, but we started a business!

After two years of blog posts we decided to take the leap and make risk3sixty a full fledged consulting company. Specifically, focusing on world-class IT Audit, Cyber Risk, and Compliance PMO services.

After talking to many of our clients and colleagues we realized the world wants a boutique consulting firm like risk3sixty. As one of our clients put it: a firm that “possesses a unique balance of technical, business, interpersonal and leadership skills who are are customer focused, value conscious, strategically minded, and capable of delivering results that make a positive difference.” (Check out our Value Proposition)

Right now we are focused on hiring the best manager-to-partner level candidates we can find and also growing the Atlanta market, but we have (and love) clients all over the US and abroad. In general our strategy is to hire the best manager-level-and-above consultants in our network and give them the tools and resources to over-serve our clients. We think this is a pretty big departure from the model traditional CPA and Consulting firm model that will make both our clients and team-mates happier.

What about the Blog?

Although we are consulting for ourselves full-time these days our blog is still alive and well. In fact, our goal is to increase the number of quality blog posts including posts from our team members with expertise in a wide range of IT Audit, Security, and Risk related topics.

We promise not to spam you with a sales pitch or clickbait. Our content will remain relevant and hopefully provide even better reading material to people in our industry. Going forward you should still see at least one post per week and as always, we welcome your comments, suggestions, and feedback.

04 Nov

The Future of IoT Security

Required Reading:
1) IoT Growing Faster Than the Ability to Defend it
2) DDoS on DYN Impacts Twitter, Spotify, Reddit

Until recently the security concerns associated with IoT devices have been mostly speculative. It’s easy to ignore how a webcam or a inexpensive gadget might be a cyber-security concern. Most people don’t think in terms of security.

For me this is part of what makes the IoT space interesting. Consider what’s happening: 1) The number of internet connected devices is exploding, 2) Most of these devices have little or no security, and 3) There’s no obvious reason to fix these security problems. What we’re left with is a problem that is only going to get bigger and evolve over time.

As IoT-type devices find there way into hospitals, homes, and the personal lives of users there is no question security concerns will become more potent; however, at that point will it be too late? Is there a proactive approach to IoT security we should consider or will it get worse before it gets better?

05 Sep

Items of Interest week of September 5, 2016

Here are some quick reads for the week of September 5, 2016. If you have interesting links of your own share them in the comments.

Thoughts on CISOs and IT Governance

“CISO” is still a relatively new executive role and it seems like most companies are still trying to figure out who or what constitutes an effective Chief Information Security Officer. As it stands, it seems like the title CISO falls somewhere between Director of IT and Chief Compliance Officer for most organizations. But instead of being empowered this ambiguity blurs the line of authority and ownership and makes it difficult to run an effective security organization.

I think the roles and responsibilities of a CISO will vary, for the time being, based on an organization’s need and maturity, but regardless of how an organization decides to brand the title CISO the role has to be clearly defined and clear lines of authority established.

I’ve seen a number of organizations hire a CISO with the misconception that one person can make all security and compliance problems disappear, but that’s just not the case. If we’re going to get serious about security the entire leadership has to buy-in (and that includes with budgets). Security has to be a sustainable business process – not a fire to be put out (which is the current climate at many organizations).

Look no further than the number of jobs most CISOs have held in the past 5 years. Average tenure for a CISO hovers somewhere around 17 months across almost all organizations. That fact alone points to something interesting and problematic in the world or information security.

02 Sep

IT Risk Assessment: Effective Identification and Selection of IT Audit Projects (Whitepaper)

WP4

IT Risk Assessment: Effective Identification and Selection of IT Audit Projects

Over the past few months I’ve had several leaders of Internal Audit departments ask: “How can we build cyber-security into our annual audit plan?”

After a few conversations I decided to put together a whitepaper to help the less-than-technical Chief Audit Executive (CAE) put together a well thought out IT Risk Assessment that helps identify and prioritize potential audit projects that tackle the subject of IT risk.

You can check out more of our whitepapers on our resources page. If you are looking for tips on effective IT Audit don’t forget to check out our Guide to IT Auditing.