Thinking out of the Box with WARP: (Whitelisting, App Blocking, Red Teams, and Pentesting)
Many businesses across highly regulated industries, like investment advisers and broker dealers, are thinking in terms of “How do we check the Cybersecurity box?” Federal- and Agency-Level regulatory initiatives, as discussed in our last post of 2015, have pushed IT security and cybersecurity to the top of the compliance agenda, however there is a difference in simply addressing the Compliance issue and achieving a higher level of Security at your firm.
Artemis defines information practices which will receive greater attention in the Future to help secure your business in the Present…
IT Security and Cybersecurity are complex subjects. There is the “big picture” debate on Privacy versus National Security, which has broken down into demographics of the left coast versus the right coast. Anticipation of EU Data Protection Regulation 2.0 has many domestic businesses with overseas operations considering options for safeguarding European clients in a cost-effective manner. The cybersecurity legal picture continues to evolve via the settlement of critical cases like Wyndham Hotels and Resorts, which offers potential prescriptive measures for reducing liability related to breach.
While it may be fun to ruminate on Chaos Theory, Ideological Movements, and Cybersecurity Practices, the real digging is still conducted on the ground floor of most businesses: at the Information Security Committee. It is worth noting that ALM Legal Intelligence reported recently that half of law firms in their survey do not have data protection committees and, while rapidly changing, this could also apply to investment advisers, broker dealers, and financial services firms in general. Are you asking your external legal partners, as part of your Vendor Management Program, if they have a data protection committee?
Beyond the concept of “Perform a Risk Assessment” (many of which are conducted cursorily) there are practices that IT and Compliance should be considering if security is to be treated seriously. As Financial Services Firms are considered primary targets for terrorism and have been designated as Critical Infrastructure Providers, we believe it behooves all industry participant to go beyond the cursory review. The following information practices will become more important in the security paradigm as the battle between good and bad continues in the cybersecurity landscape.
Many firms still face the challenge of cultural and personal issues preventing more restrictive security measures. Employees, sometimes most prominently the Executive Level, demand absolute personal freedom with respect to (1) Administrative Control of their systems,(2) use of personal email and cross platform applications, and (3) the choices of personal devices and related practices. This has to change as the three areas mentioned consistently produce new vulnerabilities, many of which have been exploited to breach businesses. This is low hanging fruit for hackers attempting to gain access to your firm.
Whitelisting involves the utilization of software for the purpose of maintaining an inventory of approved applications and their necessary components. Approved applications can be installed and execute on hosts or systems within the network. The concept is that you are permitting known, good applications to be run on your systems and, conversely, prohibiting unknown and potentially malicious applications.
There are other benefits to whitelisting, such as tying activities related to maintaining software inventories, one of the SANS 20 Critical Controls and mentioned, of course, within the NIST CSF and corresponding Cybersecurity Sweep Document Request. Some whitelisting applications have a monitoring component which will allow you maintain certain files and create alerting mechanisms for access or change. Finally, whitelisting may assist you in a post-breach forensic approach to identifying whether or not malware has spread to other systems.
Some whitelisting capabilities may be native to networking operating system features, and third party applications are also available for exploration. Several mobile device management packages also permit whitelisting of applications for business phone use; a subject which can be tricky in the BYOD space, but, if you are serious about security, something well worth considering given the growing list of app-based vulnerabilities.
If you don’t know where to start with the concept of whitelisting, NIST has offered a timely (October 2015) publication and guide which is referenced below and can be placed on the table at the Information Security Committee Meeting.
Closely related to whitelisting and sometimes referred to as blacklisting, application blocking or creating rules filtering applications with several or persistent vulnerabilities is possible at the firewall or sometimes internal to OS features. For example, Microsoft AppLocker has capabilities to enforce network, group, or individual system-based rules for protection against unwanted software. Group-based determinations can permit the systems administrator to exercise more draconian controls for systems and users which have been determined as higher-risk, tying the concept to segregation and role-based access control (RBAC) in Active Directory. Applications and domain names may be blocked at the firewall, depending on capabilities, and third-party applications do exist.
Blacklisting applications and services which permit cross-platform access, such personal email services and cloud-based storage, has the additional benefit of addressing data loss prevention (DLP) concerns recently raised in broad terms within the 2015 Cybersecurity Exam Initiative. In other words, blacklisting of certain applications can be part of your comprehensive DLP strategy or policy and procedure.
Red Team Exercises:
Often grouped with Penetration Testing as part of an overall strategy for protecting organizations from the unauthorized access of data, we believe Red Team Exercises should be more broadly defined. The physical threat to critical infrastructure providers, like investment firms, is real and there is a close link between breach and social engineering attempts which can extend to physical surveillance, theft, and the attempt to access business premises. There are other physical and data security threats which will be addressed in future posts, but consider the vulnerabilities faced by management and research personnel traveling overseas and the best practices to protect both employee health and safety and critical data.
Red Team Testing involves the comprehensive examination of an organization’s physical, technical, and administrative controls/information practices, and the ability to respond and recover from attacks and incidents. Red Team Exercises often include unannounced attempts to access a business, to identify potential vulnerabilities, and exploit weaknesses.
The discussion and scoping of Red Team Exercises is a place where you can assess the capabilities of the IT security consultants with whom you may be dealing. Do they intend to gain a thorough understanding of your business activities or in order to protect your firm from physical and technical risks? Do they have the background and expertise to assist with such testing?
Red Team Exercises and testing are not new methods, but they definitely kicked into gear as technology breach and terrorism have raised both fears and security awareness at firms at present. You should also understand that Red Team Exercises and Penetration Testing are combined in the 20th SANS critical control.
Red Team Exercises mean different things to different people, and we anticipate a delineation debate in coming years. For example, the CIA has a Red Team unit that was put in place post 9/11 to consider potential attack scenarios to domestic infrastructure. The hypothesis of the Red Team is that it thinks creatively, out of the box about scenarios which may circumvent existing controls. The Red Team Exercise should help uncover new attack vectors at your business but also work with your firm to test areas of greatest concern. Is your firm ready for a Red Team Exercise?
- Scope of the exercise is clearly defined and collaboration in understanding your business is key;
- Make sure the agreed upon terms are addressing concerns that are real to your business;
- Determine to what degree a black box methodology with wide latitude can be used to test infrastructure and personnel;
- Documentation of the defined exercise should be thorough, describing testing methodology, results, and mitigation;
- Reporting, if properly defined, can be useful for addressing testing requirements for Business Continuity and Technology Incident Response and Recovery.
Pentesting is oftentimes a component bundled with Red Team Exercises, but this is not always the case. Pentesting is a requirement for PCI-DSS vendors, and there is no question of a developing regulatory expectation for investment advisers and financial services firms. The 2015 Cybersecurity Examination Initiative mentions penetration testing under the Governance and Risk Assessment appendix section in the following manner under “Firm policies and procedures relating to the following”:
“Information regarding the firm’s policies related to penetration testing, whether conducted by or on behalf of the firm, and any related findings and responsive remediation efforts taken.”
While penetration testing is not discussed in the subcategories of the NIST CSF, keep in mind that an important, first-step component of pentesting, Vulnerability Management and Scanning are referenced under the Protect and Detect Functions. We plan to cover pentesting more extensively in future posts, but here are some of the basics and a starting point for the Compliance discussion with IT:
- Pentesting has become an automated, commoditized process. What are the tools and methods used by your pentesting firm that make then different, thorough, and capable of producing meaningful results?
- Does your pentester have an understanding of your firm’s unique risks and financial services regulatory requirements and expectations?
- Vulnerability scanning, footprinting, and identification are often the first steps for pentesting. Is your firm conducting any scanning?
- What type of reporting of both discovered vulnerabilities and successful and failed exploits can you expect? Does your pentester assist in mitigation or provide follow-up testing?
- Pentesting, like risk assessment, can be viewed as another “check the box” compliance process or you can go for something more meaningful.
- We suggest tying pentesting to a larger understanding of identified IT Security risks and finding a firm that will collaborate with you to provide more than an automated process and cut and paste reporting.
As IT security model standards mature, we expect you will see more discussion and greater definition of WARP information practices (Whitelisting, App Blocking, Red Team Exercises, and Pentesting). These are just a few controls in what will be a shifting paradigm toward proactive/preventative measures. There are certainly other information practices such as network segregation and segmenting to protect higher risk processes which will become more prevalent as well. Finally, any Red Team Exercise and Penetration Testing program must continue to take into account the human factor and training of employees based upon roles and functions.
SC Article on ALM Legal Survey
SANS 20 Critical Controls
NIST Publication: Guide to Application Whitelisting