Social Engineering

 

 

https://sm.asisonline.org/Pages/Avoiding-Breaches.aspxAvoiding BreachesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-12-01T05:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​Three days after detecting a breach of its network that impacted almost 50 million accounts, Facebook notified users of the incident and explained how it acted to prevent the breach from spreading.</p><p>“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else,” wrote Facebook Vice President of Product Management Guy Rosen in a post on the social media company’s website. ​</p><div>“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Rosen explained. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.”</div><div><br></div><div>In response to the breach that took place on September 25, Facebook fixed the “View As” vulnerability, informed law enforcement, conducted a force logout for affected accounts, and displayed a notification for affected users when they logged back on. Rosen also said Facebook would conduct a full security review of the “View As” function.</div><div><br></div><div>“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen said in his post. “We also don’t know who’s behind these attacks or where they’re based.”</div><div><br></div><div>After its initial investigation, Facebook determined that only 30 million accounts were impacted by the breach; almost half of those accounts had their names and contact information stolen from their Facebook profiles.</div><div><br></div><div>Facebook is not alone in experiencing a cyber breach in 2018. In the first 203 days of the year, there were 668 publicly disclosed U.S. data breaches—meaning that at that rate, more than 1,200 breaches will have occurred in 2018.</div><div><br></div><div>There are roughly 18,000 companies in the United States. By the end of the year, nearly 17,000 of them will have avoided a data breach, according to a recent white paper from the SANS Institute, <em>Breach Avoidance: It Can Be Done, It Needs to Be Done.</em></div><div><br></div><div>“The bottom line is that breaches are not inevitable,” the white paper said. “There are proven techniques in use today by large and small companies with limited staff and budgets that can fend off or avoid most attacks and dramatically reduce the damage of attacks that do succeed.”</div><div><br></div><div>John Pescatore—director of emerging security trends at SANS and former lead security analyst at Gartner—says he was inspired to write the paper after NotPetya ransomware hit FedEx and Maersk, and caused $1 billion in damage between them. </div><div>Other competitors in their respective industries, Pescatore says, did not see similar damages because they were prepared for the possibility of a ransomware attack.</div><div><br></div><div>Focusing on these examples of organizations taking the right steps to be prepared is helpful for industry as a whole, he adds.</div><div>“There’s no shortage of coverage in the press when the planes crash or when the breaches happen, but we never get to hear: what are those people doing right to escape these things?” Pescatore says. “In particular, with breach avoidance, how did the people who succeeded in minimizing their damage or totally avoiding damage from these breaches that made the press, what were the common things they were doing?”</div><div><br></div><div>To find out, Pescatore spoke with CISOs and security directors around the globe that have avoided data breaches to learn about how they’re doing it. His research found that “organizations that emphasize proactive security efforts to reduce vulnerabilities in critical business assets are less likely to suffer major business damage than organizations that don’t have the skills and tools to prioritize and focus security efforts.”</div><div><br></div><div>The first step that organizations are taking to avoid data breaches is taking action in the first place—proactive actions to be specific.</div><div>As Pescatore wrote, people and software will always have vulnerabilities. But security professionals and their teams can take action through several best practices to reduce the risk of those vulnerabilities.</div><div><br></div><div>“By developing situational awareness (timely and accurate knowledge of what we need to protect, what vulnerabilities exist, and what real threats are active against those targets), and combining it with tools and techniques for prioritizing prevention and mitigation actions, security teams can quickly take actions to avoid the most damaging incidents and to exponentially reduce the business damage of unavoidable incidents,” the white paper explained.</div><div><br></div><div>However, this doesn’t mean that organizations should just purchase a bunch of security products to complete these actions because there is limited correlation between the amount spent on security and the level of damage caused by a security incident.</div><div><br></div><div>“Simply adding layers of security products increases complexity, requires security staff skills that are hard to find, and often results in more disruption to business operations than to attackers,” Pescatore wrote.</div><div><br></div><div>In an interview, he tells <em>Security Management</em> that the real differentiator for organizations that have avoided a security breach is that the people they did have were working on the most important things first—“which tended to mean they were ahead of the curve when the attacks actually happened.”</div><div><br></div><div>Helping organizations determine what actions to take to prevent and avoid breaches is using a cybersecurity framework designed to prioritize protecting the business, as opposed to focusing on compliance.</div><div><br></div><div>“Simply achieving compliance can avoid some level of fines, but it does not assure actual protection of business and customer information, nor has it even been shown to provide any legal cover or liability reduction if incidents do occur,” according to the white paper.</div><div><br></div><div>Instead, SANS recommends that organizations use cybersecurity frameworks to support business protection and risk reduction, such as the National Institute of Standards and Technology Cyber Security Framework, Center for Internet Security Critical Security Controls, PCI Data Security Standards Prioritization Guidelines, or the Health Information Trust Alliance Common Security Framework.</div><div><br></div><div>“The use of a cybersecurity framework that prioritizes actions and controls by business risk is key to focusing on what security processes and controls are the most important to avoid incidents that would disrupt business operations or expose customer information,” Pescatore wrote.</div><div><br></div><div>In addition to a framework, organizations that are successfully avoiding breaches are also instituting complete, accurate, and prioritized continuous monitoring of their systems. This also requires working with the business side of the organization to ensure that nothing is falling between the cracks. </div><div><br></div><div>“Security professionals need similarly fresh knowledge of business operations mapped to IT assets to ensure that current and accurate risk assessments cover all critical systems,” the white paper explained. </div><div><br></div><div>Once continuous monitoring is implemented, it’s likely to produce a high number of vulnerability alerts for security personnel to address. However, organizations that are avoiding breaches are prioritizing what alerts they address first based on the risk to the business that alert poses. </div><div><br></div><div>By doing this, security professionals can get more support across the organization for addressing vulnerabilities and taking action because the impact to the business is made clear. </div><div><br></div><div>“When vulnerabilities are mapped first against active threats that exploit those vulnerabilities and then by criticality to business operations, security teams have been able to justify the need to take immediate patching, reconfiguration, or shielding actions,” the white paper explained.</div><div><br></div><div>Additionally, organizations that are avoiding breaches are using playbooks to address incidents—much like physical security professionals use playbooks to walk through response to a fire in the facility or an active shooter.</div><div><br></div><div>These playbooks should recommend “mitigation and shielding steps based on asset criticality and threat classification” so that any security analyst can follow the instructions to reduce risk to the organization, the white paper said.</div><div><br></div><div>Playbooks should also be updated regularly to address changes in IT systems and software that the organization is using.</div><div><br></div><div>After organizations avoiding breaches have implemented these steps, they’re also keeping track of their security posture using metrics to communicate to the CIO, the CEO, and the board what the current risk landscape looks like and how the security team is poised to address it.</div><div><br></div><div>“The most effective security programs develop processes and methodologies to provide high-level views of risk that are understood by management even though they are derived from data that is used by both security and IT operations for tactical decision making,” according to the white paper.</div><div><br></div><div>To do this, SANS recommends security professionals track three main metrics: time to detect, time to respond, and time to restore.</div><div>“The three ‘time to’ metrics discussed above have proven critical to measuring and increasing the efficiency and effectiveness of a security operations center,” the white paper said. “Higher level metrics and measurements are needed to manage the overall security program, and for effective presentation to the C-suite and the board of directors.”</div><div><br></div><div>Effective communication with the board has been a priority for CISOs over the past year, Pescatore explains, because boards are looking for CISOs to bring them strategies to deal with risks to the business—not just what the risks are.</div><div><br></div><div>“Part of this is for CISOs to think through the business side of it—what possible risks have the biggest impact to the business and what are the strategies for removing those risks,” Pescatore says.</div><div><br></div><div>Examples of this in action that the white paper detailed include showing a decline in risk due to faster patching or shielding, improved cybersecurity hygiene, and improved focus on avoiding software vulnerabilities. </div><div><br></div><div>“Trend analysis of threats, vulnerabilities, and business impact allow CISOs to demonstrate success, as well as document lessons learned from failures, and support justification for the overall strategic cybersecurity approach and any necessary tactical actions,” the white paper said.</div><div><br></div><div>All of these factors coming together help organizations avoid cybersecurity  breaches, or—when they do occur—respond to them in a timely manner to reduce the overall impact to the business.</div><div><br></div><div>“What we always say in security is everybody who succeeds has found a way to mix people, processes, and technology,” Pescatore says. “People, processes, and technology, and being able to prioritize—it’s easy to say those things but to have that focus and the prioritization built in is the difference maker.”​</div><div><br></div>

Social Engineering

 

 

https://sm.asisonline.org/Pages/Avoiding-Breaches.aspx2018-12-01T05:00:00ZAvoiding Breaches
https://sm.asisonline.org/Pages/Release-the-Robots.aspx2018-11-01T04:00:00ZRelease the Robots
https://sm.asisonline.org/Pages/Artful-Manipulation.aspx2018-09-01T04:00:00ZArtful Manipulation
https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspx2018-06-01T04:00:00ZAttacks on the Record
https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspx2018-01-01T05:00:00ZHow to Hack a Human
https://sm.asisonline.org/Pages/A-New-Social-World.aspx2017-12-01T05:00:00ZA New Social World
https://sm.asisonline.org/Pages/The-Internet-And-The-Future-of-Online-Trust.aspx2017-08-11T04:00:00ZThe Internet And The Future of Online Trust
https://sm.asisonline.org/Pages/DHS-Official-Says-Russia-Tried-to-Hack-21-States-in-2016-Election.aspx2017-06-21T04:00:00ZDHS Official Says Russia Tried to Hack 21 States in 2016 Election
https://sm.asisonline.org/Pages/Most-U.S.-Hospitals-Have-Not-Deployed-DMARC-To-Protect-Their-Email-Systems.aspx2017-06-16T04:00:00ZMost U.S. Hospitals Have Not Deployed DMARC To Protect Their Email Systems
https://sm.asisonline.org/Pages/Book-Review---Social-Media-Risk-and-Governance.aspx2016-11-01T04:00:00ZBook Review: Social Media Risk and Governance
https://sm.asisonline.org/Pages/Top-5-Hacks-From-Mr.-Robot.aspx2016-10-21T04:00:00ZThe Top Five Hacks From Mr. Robot—And How You Can Prevent Them
https://sm.asisonline.org/Pages/Spoofing-the-CEO.aspx2016-10-01T04:00:00ZSpoofing the CEO
https://sm.asisonline.org/Pages/Book-Review---Cybervetting.aspx2016-05-01T04:00:00ZBook Review: Cybervetting
https://sm.asisonline.org/Pages/How-to-Protect-PII.aspx2016-02-16T05:00:00ZHow to Protect PII
https://sm.asisonline.org/Pages/Smart-and-Secure.aspx2016-01-19T05:00:00ZSmart and Secure
https://sm.asisonline.org/Pages/Book-Review---Social-Crime.aspx2016-01-04T05:00:00ZBook Review: Social Crime
https://sm.asisonline.org/Pages/Book-Review---Online-Risk.aspx2015-12-01T05:00:00ZBook Review: Online Risk
https://sm.asisonline.org/Pages/La-Revolución-del-Internet-de-las-Cosas.aspx2015-11-12T05:00:00ZLa Revolución del Internet de las Cosas
https://sm.asisonline.org/Pages/The-IOT-Revolution.aspx2015-10-26T04:00:00ZThe IOT Revolution
https://sm.asisonline.org/Pages/Teach-a-Man-to-Phish.aspx2015-09-09T04:00:00ZTeach a Man to Phish

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspxHow to Hack a Human<p>​It all started innocuously with a Facebook friend request from an attractive woman named Mia Ash. Once her request was accepted, she struck up a conversation about various topics and showed interest in her new friend's work as a cybersecurity expert at one of the world's largest accounting firms.</p><p>Then, one day Mia shared her dream—to start her own company. She had one problem, though; she did not have a website and did not know how to create one. Surely her new friend could use his expertise to help her achieve her dreams by helping her make one? </p><p>Mia said she could send him some text to include on the new site. He agreed, and when he received a file from Mia he opened it—on his work computer. That simple act launched a malware attack against his company resulting in a significant compromise of sensitive data.</p><p>Mia was not a real person, but a care- fully crafted online persona created by a prolific group of Iranian hackers—known as Oilrig—to help this elaborate spear phishing operation succeed. </p><p>Due to his role in cybersecurity, the target was unlikely to have fallen for a standard phishing attack, or even a normal spear phishing operation. He was too well trained for that. But nobody had prepared him for a virtual honey trap, and he fell for the scheme without hesitation.</p><p>This case is a vivid reminder that when cybersecurity measures become difficult to penetrate by technical means, people become the weakest link in a cybersecurity system. It also illustrates how other intelligence tools can be employed to help facilitate cyber espionage.</p><p>While many hackers are merely looking to exploit whatever they can for monetary gain, those engaging in cyber espionage are different. They are often either working directly for a state or large nonstate actor, or as a mercenary contracted by such an actor tasked with obtaining specific information.</p><p>This targeted information typically pertains to traditional espionage objectives, such as weapons systems specifications or the personal information of government employees—like that uncovered in the U.S. Office of Personnel Management hack. </p><p>The information can also be used to further nondefense-related economic objectives, such as China's research and design 863 program, which was created to boost innovation in high-tech sectors in China. </p><p>Given this distinction and context, it is important to understand that hacking operations are just one of the intelligence tools sophisticated cyber espionage actors possess. Hacking can frequently work in conjunction with other intelligence tools to make them more efficient.</p><p>Hacking into the social media accounts or cell phone of a person targeted for a human intelligence recruitment operation can provide a goldmine of information that can greatly assist those determining the best way to approach the target. </p><p>For instance, hacking into a defense contractor's email account could provide important information about the date, time, and place for the testing of a revolutionary new technology. This information could help an intelligence agency focus its satellite imagery, electronic surveillance, and other collection systems on the test site.</p><p>Conversely, intelligence tools can also be used to enable hacking operations. Simply put, if a sophisticated cyber espionage actor wants access to the information contained on a computer system badly enough, and cannot get in using traditional hacking methods, he or she will use other tools to get access to the targeted system. A recent case in Massachusetts illustrates this principle.</p><p>Medrobotics CEO Samuel Straface was leaving his office at about 7:30 p.m. one evening when he noticed a man sitting in a conference room in the medical technology company's secure area, working on what appeared to be three laptop computers.</p><p>Straface did not recognize the man as an employee or contractor, so he asked him what he was doing. The man replied that he had come to the conference room for a meeting with the company's European sales director. Straface informed him that the sales director had been out of the country for three weeks.</p><p>The man then said he was supposed to be meeting with Medrobotics' head of intellectual property. But Straface told him the department head did not have a meeting scheduled for that time. </p><p>Finally, the man claimed that he was there to meet the CEO. Straface then identified himself and more strongly confronted the intruder, who said he was Dong Liu—a lawyer doing patent work for a Chinese law firm. Liu showed Straface a LinkedIn profile that listed him as a senior partner and patent attorney with the law firm of Boss & Young. </p><p>Straface then called the police, who arrested Liu for trespassing and referred the case to the FBI. The Bureau then filed a criminal complaint in the U.S. District Court for the District of Massachusetts, charging Liu with one count of attempted theft of trade secrets and one count of attempted access to a computer without authorization. After his initial court appearance, Liu was ordered held pending trial.</p><p>Straface caught Liu while he was presumably attempting to hack into the company's Wi-Fi network. The password to the firm's guest network was posted on the wall in the conference room, and it is unclear how well it was isolated from the company's secure network. It was also unknown whether malware planted on the guest network could have affected the rest of the company's information technology infrastructure.</p><p>The fact that the Chinese dispatched Liu from Canada to Massachusetts to conduct a black bag job—an age-old intelligence tactic to covertly gain access to a facility—indicates that it had not been able to obtain the information it desired remotely.</p><p>China had clear interest in Medrobotics' proprietary information. Straface told FBI agents that companies from China had been attempting to develop a relationship with the company for about 10 years, according to the FBI affidavit. Straface said he had met with Chinese individuals on about six occasions, but ultimately had no interest in pursuing business with the Chinese.</p><p>Straface also noted that he had always met these individuals in Boston, and had never invited them to his company's headquarters in Raynham, Massachusetts. This decision shows that Straface was aware of Chinese interest in his company's intellectual property and the intent to purloin it. It also shows that he consciously attempted to limit the risk by keeping the individuals away from his facilities. Yet, despite this, they still managed to come to the headquarters.</p><p>Black bag attacks are not the only traditional espionage tool that can be employed to help facilitate a cyberattack. Human intelligence approaches can also be used. </p><p>In traditional espionage operations, hostile intelligence agencies have always targeted code clerks and others with access to communications systems. </p><p>Computer hackers have also targeted humans. Since the dawn of their craft, social engineering—a form of human intelligence—has been widely employed by hackers, such as the Mia Ash virtual honey trap that was part of an elaborate and extended social engineering operation.</p><p>But not all honey traps are virtual. If a sophisticated actor wants access to a system badly enough, he can easily employ a physical honey trap—a very effective way to target members of an IT department to get information from a company's computer system. This is because many of the lowest paid employees at companies—the entry level IT staff—are given access to the company's most valuable information with few internal controls in place to ensure they don't misuse their privileges.</p><p>Using the human intelligence approaches of MICE (money, ideology, compromise, or ego), it would be easy to recruit a member of most IT departments to serve as a spy inside the corporation. Such an agent could be a one-time mass downloader, like Chelsea Manning or Edward Snowden. </p><p>Or the agent could stay in place to serve as an advanced, persistent, internal threat. Most case officers prefer to have an agent who stays in place and provides information during a prolonged period of time, rather than a one-time event.</p><p>IT department personnel are not the only ones susceptible to such recruitment. There are a variety of ways a witting insider could help inject malware into a corporate system, while maintaining plausible deniability. Virtually any employee could be paid to provide his or her user ID and password, or to intentionally click on a phishing link or open a document that will launch malware into the corporate system. </p><p>An insider could also serve as a spotter agent within the company, pointing out potential targets for recruitment by directing his or her handler to employees with marital or financial issues, or an employee who is angry about being passed over for a promotion or choice assignment.</p><p>An inside source could also be valuable in helping design tailored phishing attacks. For instance, knowing that Bob sends Janet a spreadsheet with production data every day, and using past examples of those emails to know how Bob addresses her, would help a hacker fabricate a convincing phishing email.</p><p>Insider threats are not limited only to the recruitment of current employees. There have been many examples of the Chinese and Russians recruiting young college students and directing them to apply for jobs at companies or research institutions in which they have an interest.</p><p>In 2014, for instance, the FBI released a 28-minute video about Glenn Duffie Shriver—an American student in Shanghai who was paid by Chinese intelligence officers and convicted of trying to acquire U.S. defense secrets. The video was designed to warn U.S. students studying abroad about efforts to recruit them for espionage efforts.</p><p>Because of the common emphasis on the cyber aspect of cyber espionage—and the almost total disregard for the role of other espionage tools in facilitating cyberattacks—cyber espionage is often considered to be an information security problem that only technical personnel can address. </p><p>But in the true sense of the term, cyber espionage is a much broader threat that can emanate from many different sources. Therefore, the problem must be addressed in a holistic manner. </p><p>Chief information security officers need to work hand-in-glove with chief security officers, human resources, legal counsel, and others if they hope to protect the companies and departments in their charge. </p><p>When confronted by the threat of sophisticated cyber espionage actors who have a wide variety of tools at their disposal, employees must become a crucial part of their employers' defenses as well. </p><p>Many companies provide cybersecurity training that includes warnings about hacking methods, like phishing and social engineering, but very few provide training on how to spot traditional espionage threats and tactics. This frequently leaves most workers ill prepared to guard themselves against such methods. </p><p>Ultimately, thwarting a sophisticated enemy equipped with a wide array of espionage tools will be possible only with a better informed and more coordinated effort on the part of the entire company.  </p><h4>Sidebar: The Mice and Men Connection</h4><p> </p><p>The main espionage approaches that could be used to target an employee to provide information, network credentials, or to introduce malware can be explained using the KGB acronym of MICE.</p><p>M = Money. In many cases, this does equal cold, hard cash. But it can also include other gifts of financial value—travel, jewelry, vehicles, education, or jobs for family members. Historic examples of spies recruited using this hook include CIA officer Aldrich Ames and the Walker spy ring.</p><p>A recent example of a person recruited using this motivation was U.S. State Department employee Candace Claiborne, who the U.S. Department of Justice charged in March 2017 with receiving cash, electronics, and travel for herself from her Chinese Ministry of State Security handler, as well as free university education and housing for her son.</p><p>I = Ideology. This can include a person who has embraced an ideology such as communism, someone who rejects this ideology, or who otherwise opposes the actions and policies of his or her government.</p><p>Historical examples of this recruitment approach include the Cambridge five spy ring in the United Kingdom and the Rosenbergs, who stole nuclear weapons secrets for the Soviet Union while living in the United States.</p><p>One recent example of an ideologically motivated spy is Ana Montes, who was a senior U.S. Defense Intelligence Agency analyst recruited by the Cuban DGI, who appealed to her Puerto Rican heritage and U.S. policies toward Puerto Rico. Another ideologically motivated spy was Chelsea Manning, a U.S. Army private who stole thousands of classified documents and provided them to WikiLeaks.</p><p>C = Compromise. This can include a wide range of activities that can provide leverage over a person, such as affairs and other sexual indiscretions, black market currency transactions, and other illegal activity. It can also include other leverage that a government can use to place pressure on family members, like imprisoning them or threatening their livelihood.</p><p>Historic examples of this approach include U.S. Marine security guard Clayton Lonetree, who was snared by a Soviet sexual blackmail scheme—a honey trap—in Moscow, and FBI Special Agent James Smith who was compromised by a Chinese honey trap.</p><p>More recently, a Japanese foreign ministry communications officer hung himself in May 2004 after falling into a Chinese honey trap in Shanghai.</p><p>E = Ego. This approach often involves people who are disenchanted after being passed over for a promotion or choice assignment, those who believe they are smarter than everyone else and can get away with the crime, as well as those who do it for excitement.</p><p>Often, ego approaches involve one of the other elements, such as ego and money—"I deserve more money"—or ego and compromise—"I deserve a more attractive lover."</p><p>A recent example is the case of Boeing satellite engineer Gregory Justice, who passed stolen electronic files to an undercover FBI agent he believed was a Russian intelligence officer. While Justice took small sums of money for the information, he was primarily motivated by the excitement of being a spy like one of those in the television series The Americans, of which he was a fan.​</p><p>​<br></p><p><em><strong>Scott Stewart</strong> is vice president of tactical analysis at Stratfor.com and lead analyst for Stratfor Threat Lens, a product that helps corporate security professionals identify, measure, and mitigate risks that emerging threats pose to their people, assets, and interests around the globe.</em></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Book-Review-Insider-Threats.aspxBook Review: Insider Threats<p>​Cornell University Press; cornellpress.cornell.edu; 216 pages; $89.95.</p><p>A collection of essays and case studies that originated in two workshops sponsored by the Global Nuclear Future Project of the American Academy of Arts and Sciences in 2011 and 2014, <em>Insider Threats</em> focuses on protecting the nuclear industry—but its lessons apply across many sectors.</p><p>The case studies are fascinating. A chapter devoted to the Fort Hood terrorist attack shows how changes in mission and procedures allowed information about the perpetrator to slip through the cracks. Instead of capturing warning signals, the systems scattered them. </p><p>Similar lessons were learned from the post–9/11 anthrax attacks in the United States. The author says that the suspect gained access to anthrax through “a complicated mix of evolving regulations, organizational culture, red flags ignored, and happenstance.”  </p><p>A real strength of this book is its root-cause analysis approach. Blame is rarely laid at the feet of incompetent people, but assigned to other factors like the unintended consequences of organizational design and known psychological tendencies. </p><p>The last chapter brings together all the lessons learned and cites 10 worst practices. For example, number seven is: “forget that insiders may know about security measures and how to work around them.” This chapter will be the most valuable to security practitioners because it offers a roadmap towards building an insider threat mitigation plan.</p><p><em>Insider Threats </em>is well-written, even literary. Its chief lesson: organizations are rarely designed to catch the insider, and much work needs to be done to protect them.</p><p><strong><em>Reviewer: Ross Johnson, CPP</em></strong><em>, is the senior manager of security and contingency planning for Capital Power, and infrastructure advisor for Awz Ventures. He previously worked as the security supervisor for an offshore oil drilling company in the Gulf of Mexico and overseas. Johnson is the author of Antiterrorism and Threat Response: Planning and Implementation.</em></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/A-Professional-Path.aspxA Professional Path<p>​Until recently, security has been considered a trade, with practitioners fighting for proper standing in the institutions they protect. But the industry is now at a crossroads.</p><p>Before us lie two paths. One is a continuation of the status quo. We may continue to glide down this road, but it is not a self-determined path. It has been chosen for us because we have not clearly defined security’s role. Given this failure to self-define, security has traditionally been defined by others by the task it performs, such as information security, investigations, physical security, or executive protection. This type of definition diminishes the value of the security function; our role is more than just our allocated tasks.</p><p>The second road is one of self-determination and opportunity. It offers a chance for the industry to advance from a trade to a fully respected profession. On this road, we can take control of the dialogue, shape the conversation surrounding our field, and make our own way forward. As an industry—with ASIS taking the lead—we can keep advancing until security is considered a profession.</p><p>How can we advance on this second road? First we need a clear definition of the role of security in the private sector. We also need a core base of knowledge that supports our understanding of that role, which can be taught—not only to college students, but to transitioning personnel coming into our industry and to our hiring managers. There also needs to be an established expectation that practitioners will share this knowledge of security’s role and the core competencies associated with it. </p><p>ASIS International has already started defining this role through the concept of enterprise security risk management (ESRM). With its embrace of ESRM, ASIS has positioned our industry to travel down the road of opportunity and self-determination, with ESRM as the guiding principle to help chart our course.  </p><p>Not everyone in the industry is ready for this journey, however. For some who may have heard of the concept but still find it vague, questions remain. Primarily: What exactly is ESRM and why is it needed?</p><h4>What is ESRM?</h4><p>At its core, ESRM is the practice of managing a security program through the use of risk principles. It’s a philosophy of management that can be applied to any area of security and any task that is performed by security, such as physical, cyber, information, and investigations. </p><p>The practice of ESRM is guided by long-standing internationally established risk management principles. These principles consist of fundamental concepts: What’s the asset? What’s the risk? How should you mitigate that risk? How should you respond if a risk becomes realized? What is your process for recovering from an event if a breach happens? Collectively, these principles form a thoughtful paradigm that guides the risk management thought process.</p><p>When pursued, these questions elicit valuable information, and they can be asked of every security-related task. For instance, investigations, forensics, and crisis management are all different security functions, but when they are discussed within the ESRM framework they are simply different types of incident response. </p><p>Similarly, every function of physical and information security, such as password and access management, encryption, and CCTV, is simply considered a mitigation effort within the ESRM paradigm. These may seem to be merely semantic differences, but they are important nuances. When we define these functions within the ESRM paradigm, we also start to define the role we play in the overall enterprise.</p><p>ESRM elevates the level at which the role of security management is defined. Instead of defining this role at task level, it defines the role at the higher, overarching level of risk management.  </p><p>By raising the level of security’s role, ESRM brings it closer to the C-suite, where executives are considering much more than individual tasks. And by defining the role through risk principles, it better positions the security function within the business world at large. Business executives in all fields understand risk; they make risk decisions every day. Using ESRM principles to guide our practice solidifies our place within the language of business while also defining the role we play within the business.</p><p>For example, consider a company with a warehouse and a server. In the warehouse, security is protecting widgets and in the server, security is protecting data. Under the common risk principles, we ask: What are the risks to the widgets and data?  How would we protect against those risks? Who owns the widgets, and who owns the data? </p><p>We may decide to put access control and alarms on the warehouse or a password and encryption on the data. In both instances, we’re protecting against intrusion. The goal is the same—protection. For each task, the skill set is different, just like skill sets differ in any other aspect of security: investigations, disaster response, information technology. But the risk paradigm is the same for each.</p><h4>Why We Need It</h4><p>We need ESRM to move beyond the tasks that security managers and their teams are assigned. For instance, if you manage physical security, your team is the physical security team. If you do investigations, you are an investigator. If you manage information security, your team is the information security team. </p><p>But these tasks merely define the scope of responsibility. Our roles are broader than our assigned tasks. Our responsibilities should be viewed not as standalone tasks, but as related components within our roles as security risk managers.   </p><p>Having a clear, consistent, self-defined role provides significant benefits. First, it preempts others from defining our role for us in a way that fails to adequately capture and communicate our value. </p><p>Second, it helps better position ourselves in the C-suite. C-level executives often struggle with what security managers do, and where to align us. This is often reflected in the frustrations expressed in some of our own conversations about needing a proverbial seat at the table. In one sense, this exclusion may seem justified: if we can’t define our role beyond describing our tasks, why would upper management charge us with higher-level leadership and strategy?</p><p>Third, it provides guidance to our industry. Greater use of ESRM will provide an always-maturing common base of knowledge, with consistent terms of use and clear expectations for success.  </p><p>This benefits not only practitioners in our industry, but also all other executives who may need to interact with the security practice or work with the security manager. This can be especially valuable during times of change, such as when a security manager switches companies or industries, or when new executives come into the security manager’s firm.</p><p>In those situations, security managers often feel that they are continually educating others on what they do. But this endless starting over process wouldn’t be necessary if there were a common understanding of what security’s role is, beyond the scope of its responsibilities.​</p><h4>Why Now?</h4><p>This industry at large has talked about ESRM for at least the last 10 years. But as relevant as the topic was a few years ago, the present moment is the right moment for ESRM because security risks now have the potential to become more disruptive to business than in the past.  </p><p>There are several reasons for this. The use of technology in the current economy has allowed businesses to centralize operations and practices. While this consolidation may have increased efficiency, it has also made those centralized operations more susceptible to disruption. When operations were more geographically dispersed, vulnerabilities were more spread out. Now, the concentrated risks may have a more serious negative impact to the business. </p><p>We are also moving beyond traditional information security and the protection of digitalized data. Now, cybersecurity risks pose threats of greater business disruption. For example, the threats within the cyber landscape to the Internet of Things (IoT) have the potential to cause more harm to businesses compared with the negative effects they suffered in the past due to loss of information.</p><p>Many executives understand the significance of these risks, and they are looking for answers beyond the typical siloed approach to security, in which physical security and information security are separately pursued. They realize that the rising cyber risks, in tandem with the increasing centralization of business operations, have caused a gap in security that needs to be closed. </p><p>Boards are also becoming more engaged, which means that senior management must also become engaged, and someone will have to step in and fill that gap. That could be a chief risk officer, a board-level committee, an internal audit unit…or security. Hopefully, it will be the latter, but to step up and meet this challenge, security professionals must be able to consistently define their role beyond simply defining their tasks. ​</p><h4>Making the Transition</h4><p>What we need is a roadmap toward professionalization.  </p><p>ASIS is leading the effort of defining security’s role through ESRM. At ASIS 2017 in Dallas, you will hear more conversation around ESRM as well as more maturity and consistency in that conversation.  As the leading security management professional organization, ASIS is best positioned to guide us through the roadmap from a trade to a profession. </p><p>The ASIS Board of Directors has made ESRM an essential component of its core mission. It has started incorporating ESRM principles into its strategic roadmap, which means that ASIS is starting to operationalize this philosophy—a critical step in building out this roadmap. Other steps will be needed; it is essential that volunteers, both seasoned and new to the field, embrace this shift towards professionalization for it to gain traction.</p><p>This transition will not occur with the flip of a switch. It will take dedication to challenge our own notions of how we perceive what we do, the language we use to communicate to our business partners, and our approach toward executing our functions.  It will take time and comprehensive reflection, and the ability to recognize when we don’t get it right. We may not be totally wrong either, but thoroughness in developing consistency is critical.</p><p>There are some core foundational elements that need to be in place for this ESRM transition to be successful. First, there needs to be a consistent base of knowledge for our industry to work from: a common lexicon and understanding of security’s role that is understood by practitioners and the business representatives we work with. </p><p>We also need both a top-down and bottom-up approach. New security practitioners entering the industry from business or academia, or transitioning from law enforcement or the military, need a comprehensive understanding of risk management principles and how a risk paradigm drives the security management thought process. There should be an expectation that these foundational skill sets are in place when someone enters the security field. Working from a common base of knowledge, these ESRM concepts should be incorporated into the security management curriculum, consistently established in every security certification, and inherent in job descriptions and hiring expectations at every level.  </p><p>We also need to build expectations regarding what security’s role is, and how it goes beyond its assigned tasks, from the top-down—among executives, boards, hiring managers, and business partners. A clear and common understanding of security’s role will make it easier to define success and the skill sets that are needed to be successful. Organizations like ASIS will assist in providing the wherewithal to support these leaders. </p><p>If we truly are security risk managers, then there must be an expectation of foundational and comprehensive risk skill sets when hiring decisions are made. There could be educational opportunities through ASIS, through global partnerships with universities, and through publications coordinated with organizations that reach the C-suite, such as the Conference Board of the National Association of Corporate Directors.</p><p>Clearly academia needs to play a role as well. College students interested in entering this dynamic industry will come in more prepared to assist security leaders and businesses with a solid knowledge base of security risk management fundamentals. And once a rigorous ESRM body of knowledge is established, ASIS has the clout, expertise, and standing to provide a certification for academic institutions that meet concepts in their curriculum, which would will provide for a more consistent understanding of security’s role.</p><p>ASIS has established ESRM as a global strategic priority and has formed an ESRM Commission to drive and implement this strategy. One of the commission’s first steps is developing a toolkit comprising a primer and a maturity model.</p><h4>Benefits to ASIS Members</h4><p>There is a question I ask of every can­didate I interview: “Tell me about a time when you’ve been frustrated in this industry.” </p><p>Every answer comes down to one of two issues. One, we do not know and cannot clearly define our role. Two, our business partners cannot clearly define our role. Both of these frustrations are manageable, and both are our fault as an industry for not establishing clarity.  This leads to strained relationships with our business partners in how we are perceived and how likely our expert guidance is to be accepted.</p><p>Having a clearly defined security role through ESRM helps build a foundation for a more satisfying career in the security industry. It would provide us with proper standing in our enterprises, and better positioning for us to have a seat at the table for the right reasons, ones that executives understand and can support.</p><p>For the practitioner, a consistent security program through ESRM provides a framework to bring together security mitigation tasks under one proper umbrella: physical, investigations, cyber, information, business continuity, brand protection, and more. </p><p>The human resources industry has professionalized over the last decade or so. We see this through their standing within business, their seat at the table, and their upgrades in title and pay. Now, with the rise in threats and potential business disrupters, our industry has an opportunity. Business leaders and boards are looking for answers.  We have the necessary skill sets and a dedicated and supportive professional association in ASIS to take the lead.</p><p>We are at a crossroads.  It is time to choose the path of self-determination, take control of this conversation, and make the transition from trade to profession.</p><p><em>Brian J. Allen, Esq., CPP, is the former Chief Security Officer for Time Warner Cable, a former member of the ASIS Board of Directors, and a current member of the ASIS ESRM Commission. ​</em><br></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465