July 2017Volume 15 Issue 7

Cryptographic Architectures: Missing in ActionCyberwar and International Law

Building a Phishing Program: Why Haven’t You Started Yet?

Cryptographic Architectures MISSING IN ACTION

Table of ContentsDEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Articles23 Cyberwar and International Law

By Luther Martin – ISSA member, Silicon Valley Chapter and Cheryl HeThere is a lot of discussion of cyberwar these days, though much is not based on a careful understanding of what might reasonably be called “cyberwar.” The authors look at what existing international law tells us about cyber attacks and at what recent cyber incidents might reasonably be considered to be serious enough to be considered something more than annoying attacks by hackers.

28 Building a Phishing Program: Why Haven’t You Started Yet?By Tonia Dudley – ISSA member, Phoenix ChapterThis author discusses the basics of a phishing simulation training program and how it is one element of an overall security awareness program to address human behaviors. The article provides some recommendations to consider when building a successful program.

Also in this Issue3 From the President5 Sabett’s Brief

Cybersecurity Will be H-U-G-E!6 Herding Cats

Global Cyber Enforcement7 Gray Hat

Equities Equities8 Open Forum

Cybersecurity in World Politics9 Security in the News10 Association News13 Starting the Conversation…

A CISO’s Perspective on Threat Intelligence34 Crypto Corner

Encryption Standards35 Perspective: Women in Security SIG

International Cybersecurity Ambassadors: Global Security Awareness

Feature16 Cryptographic Architectures: Missing in Action

By Jeff Stapleton – ISSA member, St. Louis ChapterDocumenting network topology, information technology, and system architectures are common development methods. However, cryptographic architectures are often ignored due to lack of knowledge or overlooked to avoid complexities. This article discusses the critical importance of identifying and understanding the cryptographic architectures.

©2017 Information Systems Security Association, Inc. (ISSA)

The ISSA Journal (1949-0550) is published monthly by Information Systems Security Association

11130 Sunrise Valley Drive, Suite 350, Reston, Virginia 20191 703.234.4095 (Direct) • +1 703.437.4377 (National/International)

2 – ISSA Journal | July 2017

From the President

Introducing ISSA International President Keyaan Williams

On June 14, 2017, I assumed the role of ISSA International President as an appointment after an affirmative vote of the International Board of Directors. "Appointment" is a key term in this conversation because

the path that led me to serve in this role is different from an approach customarily used to select candi-dates and elect an association's president. I do not take the responsibility of this appointment lightly.

Because I was appointed rather than elected, it is my duty to share some details about my background and my vision for the ISSA. I have a great relationship with some members and chapters, but I do not know everyone. I hope to know as many members as possible during my service in this role. I am committed to serving the mission and the best interests of the ISSA. I pray that my tenure delivers the same meaningful contribution provided by ISSA International presidents who have held this position before me.

For those who do not know me, I have been a director on the International Board since 2015. I originally submitted my application for election because I wanted to expand my service to the association by helping all members achieve the personal and professional success I realized from active participation with my local chapter. Since joining the board, I have been working as the chairperson of the Strategic Alliances Committee. This committee helps ISSA achieve its “value” goal by identifying and developing partner-ships with organizations that offer education, training, or other perks that enhance the value of ISSA for our members.

I consider my new role an extension of my old role. Primarily, I am here to serve the members and stake-holders of the ISSA. I commit to blatant honesty and transparency about what we are doing at the inter-national level to make things better locally for our chapters and our members. The association’s mission to develop and connect cybersecurity leaders globally will guide my efforts. I hope to contribute to this mission by focusing on the strategic goals established by the board: expanding the global influence of the ISSA, maximizing the value of membership, and developing effective organizational processes and procedures.

I consider it an honor to work with the International Board of Directors to provide broad support and di-rection for the association; however, our chapter leaders are the most important part of the ISSA equation. Dozens of presidents, vice presidents, secretaries, treasurers, and other directors work tirelessly at the local level, delivering an exceptional membership experience. Many chapters produce outstanding results with extremely limited resources because of the people committed to serving the mission and members of the ISSA.

Having been there before, I am sensitive to the challenges they face. Therefore, I am open to suggestions from members and chapter leaders about the support you receive from our International Board, whether good, bad, or ugly.

You have my promise that I will do all I can to maintain the legacy established for the ISSA before I had the privilege to serve as its president.

Keyaan Williams

July 2017 | ISSA Journal – 3

The information and articles in this mag-azine have not been subjected to any formal testing by Information Systems Security Association, Inc. The implemen-tation, use and/or selection of software, hardware, or procedures presented within this publication and the results obtained from such selection or imple-mentation, is the responsibility of the reader.

Articles and information will be present-ed as technically correct as possible, to

the best knowledge of the author and editors. If the reader intends to make use of any of the information presented in this publication, please verify and test any and all procedures selected. Techni-cal inaccuracies may arise from printing errors, new developments in the indus-try, and/or changes/enhancements to hardware or software components.

The opinions expressed by the authors who contribute to the ISSA Journal are their own and do not necessarily reflect

the official policy of ISSA. Articles may be submitted by members of ISSA. The articles should be within the scope of in-formation systems security, and should be a subject of interest to the members and based on the author’s experience. Please call or write for more information. Upon publication, all letters, stories, and articles become the property of ISSA and may be distributed to, and used by, all of its members.

ISSA is a not-for-profit, independent cor-

poration and is not owned in whole or in part by any manufacturer of software or hardware. All corporate information se-curity professionals are welcome to join ISSA. For information on joining ISSA and for membership rates, see www.issa.org.

All product names and visual represen-tations published in this magazine are the trademarks/registered trademarks of their respective manufacturers.

4 – ISSA Journal | July 2017

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Now Indexed with EBSCO

Editor: Thom Barrie editor@issa.org

Advertising: vendor@issa.org

866 349 5818 +1 206 388 4584

Editorial Advisory BoardRichard Abbott

James Adamson

Phillip Griffin, Fellow

Michael Grimaila, Fellow

Yvette Johnson

John Jordan, Senior Member

Mollie Krehnke, Fellow

Joe Malec, Fellow

Donn Parker, Distinguished Fellow

Jean Pawluk, Distinguished Fellow

Kris Tanaka

Joel Weise – Chairman, Distinguished Fellow

Branden Williams, Distinguished Fellow

Services DirectoryWebsite

webmaster@issa.org

Chapter Relationschapter@issa.org

Member Relationsmember@issa.org

Executive Directorexecdir@issa.org

Advertising and Sponsorshipsvendor@issa.org

International Board OfficersPresident

Keyaan Williams Fellow

Vice PresidentJustin White

Secretary/Director of OperationsAnne M. Rogers

CISSP, Fellow

Treasurer/Chief Financial OfficerPamela Fusco

Distinguished Fellow

The Information Systems Security Association, Inc. (ISSA)® is a not-for-profit, interna-tional organization of information security professionals and practitioners. It provides educational forums, publications and peer inte raction opportunities that enhance the knowledge, skill and professional growth of its members.

With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security profession-als. Members include practitioners at all levels of the security field in a broad range of industries, such as communications, education, healthcare, manufacturing, financial, and government.

The ISSA international board consists of some of the most influential people in the se-curity industry. With an international communications network developed throughout the industry, the ISSA is focused on maintaining its position as the preeminent trusted global information security community.

The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global informa-tion systems security and for the professionals involved.

Board of DirectorsDebbie Christofferson, CISM, CISSP, CIPP/

IT, Distinguished FellowMary Ann Davidson Distinguished Fellow

Rhonda Farrell, FellowGeoff Harris, CISSP, ITPC, BSc, DipEE,

CEng, CLAS, FellowDJ McArthur, CISSP, HiTrust CCSFP,

EnCE, GCIH, CEH, CPT Shawn Murray, C|CISO, CISSP, CRISC,

FITSP-A, C|EI, Senior MemberAlex Wood, Senior MemberStefano Zanero, PhD, Fellow

Information Systems Security Association11130 Sunrise Valley Drive, Suite 350, Reston, Virginia 20191

703.234.4095 (Direct) • +1 703.437.4377 (National/International)

Sabett’s Brief

By Randy V. Sabett – ISSA Senior Member, Northern Virginia Chapter

Cybersecurity Will be H-U-G-E!

I normally remain apolitical in most of my professional dealings, but talking about cybersecurity in the

context of world politics sort of forces the matter…or does it? While cyberse-curity has played an increasingly im-portant role in the political world, the approaches to (and solutions for) the cybersecurity problems remain neutral politically. Cybersecurity does become an important and relevant political is-sue when it involves activities by nation states and includes actions sanctioned by those nation states that cause both short-term and long-term harm to citi-zens and businesses of another country.According to various media outlets, cyber attacks launched by nation states increasingly target government entities, critical infrastructure and industrial control systems, and private businesses. These attacks, frequently investigated by experts who attribute them to specific nation-state actors, utilize a variety of approaches that interrupt business op-erations, exfiltrate financial information (such as credit card numbers), and ex-ploit confidential information. Because both public and private entities contin-ue to expose sensitive and valuable data (e.g., intellectual property), the result is large-scale loss of both information and revenue.Based on some of the recent ransom-ware attacks, nation states would appear to be more active than they have been in the past. Again, the popular media has pointed to nation states as devoting substantial resources to achieve their cyber-attack objectives, including time, money, and hacker talent. In light of this threat, the challenge for most or-ganizations is striking the right balance between an attacker that many (if not most) organizations view as a very low likelihood threat and taking care of the

more common threats that exist every day on the corporate network.One rather obvious question centers on the motivation for such attacks. While there are probably hundreds of different variations, two common themes seem to emerge from reports over the past several years. First, nation states seek to gain an upper hand in negotiation and politics. On a more and more frequent basis, information for gaining such an upper hand can be acquired via cyber attacks on both public and commercial

targets. Second, nation states seek to ex-filtrate trade secrets and other sensitive information from commercial entities in order to allow the companies in their own countries to be more competitive in the world markets. Although this may not be what people stereotypically think of when it comes to world politics, such economic advantage remains an attrac-tive motivator for cyber attacks.Attribution continues to be one of the unfortunate difficulties in such matters. Even when investigators have what ap-pears to be incontrovertible evidence that a particular attacker and/or partic-ular nation state was responsible for a given action, the complexities involved in the attacks and the ability for the al-legedly responsible nation states to hide

behind a variety of excuses mean that most alleged nation-state cyber attacks go unpun-ished on the world stage.Despite (or perhaps in part because of) the attribution problem, combined with the two prime motivations above, most entities should include nation-state at-tacks in their threat and risk analysis process. Too often I’ve been involved in incident response situations involving what were very likely nation-state at-tacks (based on credible reports offered up by federal law enforcement officers) that were viewed by the victim as “I didn’t think that could happen to me” or “Why would that group come after me?” By planning for such attacks in advance, including having a law enforcement offi-cer on speed dial, can make responding to such incidents easier. I would love to wrap up with a political comment here (there are numerous that would be rather funny and ironic), but I will remain apolitical…though it defi-nitely would have been huge.

About the Author Randy V. Sabett, J.D., CISSP, is an at-torney with Cooley LLP (www.cooley.com/rsabett), a member of the advisory boards of MissionLink and the George-town Cybersecurity Law Institute, and is the former Senior VP of ISSA NOVA. He recently completed FBI Citizen Academy training, was a member of the Commis-sion on Cybersecurity for the 44th Presi-dency, was named the ISSA Professional of the Year for 2013, and can be reached at rsabett@cooley.com.

Nation states seek to gain an upper hand in negotiation and

politics…[and] seek to exfiltrate trade secrets

and other sensitive information from

commercial entities.

July 2017 | ISSA Journal – 5

Every year the message of cybersecurity

gets pushed farther into the mainstream

where fewer politicians sound like the late US Senator Ted Stevens and his in-famous description of the Internet as a “series of tubes.” While our current ad-ministration appears to be re-opening the net neutrality debate—from which this quote originates—bringing tech-nology debates back onto the Hill, poli-ticians still don’t fully understand all the issues surrounding cybersecurity.1 For example, the reports from earlier last month that UK Prime Minister Theresa May wants to ban encryption2 illustrates a politician’s reaction to something not quite understood.In many cases, these knee-jerk reactions are symptom-treating solutions that ig-nore the cause of the problem.Perhaps bigger problems with cyber-security around the globe is the reality that Johnny can break US laws and cause real damage to US property without ever stepping foot in the country. Replace US with any country of choice, and you can see the problem. Consider the recent WannaCry outbreak (and it’s variants that continue as of the writing of this column). When NSA se-crets get out, it could be a single brilliant actor that wreaks havoc on the world, or it could be participants from several countries that release these worms into the wild. This scenario presents a ma-ny-to-many relationship when you con-sider several actors breaking their own sovereign laws who release something

1 For the record, I am not suggesting that I do, but I also am not enacting laws around it.

2 Timothy Revell, “Theresa May’s repeated calls to ban encryption still won’t work,” New Scientist, 5 June 2017 – http://brando.ws/2u4HWJf.

that causes many more laws to be broken in the victims’ sovereign states.How exactly do you prosecute that one?Perhaps the cybersecurity laws coupled with our interconnected world high-lights a recurring problem on our hum-ble blue planet. Globalization is great for both the good guys and the bad guys. There are 195 sovereign states,3 which means 195 governments, often made up of multiple groups inside them, must grapple with criminals they can’t see and often times cannot reach. It’s a problem that continues to surface when borders are involved. Ideally, a standard, baseline set of cyber laws could be enacted in every sovereign state on the globe, with reciprocity and extradition built in, to allow for global cooperation to pursue cyber criminals. It’s one of those ideas that looks good on paper, but is a nightmare to enact—es-pecially when nation states sanction op-erations against each other that would break and violate those very laws.Given the impracticality of a plan like that, perhaps we can look at it from the other side of the issue.The Internet is a dangerous place. There are dark parts, there are illegal parts, and the occasional good part powered by capitalism. Being a part of this crazy ecosystem means that you must accept a few realities that can be difficult to un-derstand. 1. Just like the Wild, Wild West, there

are both written and unwritten rules of conduct. Enforcement of those rules is inconsistent at best, so de-pending on which side of the equa-tion you sit, you could benefit or be crushed.

3 Sorry Taiwan. You definitely have the best tea though!

2. Security is your responsibility to manage, and you are responsible for whatever happens to you when you plug in. It’s all about risk manage-ment. It’s the same story we’ve heard for decades. Risk comprehension is difficult, and few do it well. If you don’t have good risk management, you can’t be upset when a cata-strophic event bites you.

3. Fighting back is not the best way. Instead, making life harder for an attacker will go longer to keep you safe. This is the CISO’s lament. How do I efficiently deploy my resourc-es in ways that allow me to survive without retaliation?

So many CISO friends of mine launched into tirades about the realities of infor-mation technology in a world of Wan-naCry. While pundits blamed CISOs for unpatched systems that allowed Wanna-Cry to be a thing in the first place, the reality of running a security organiza-tion means that some machines won’t get patched in time. Savvy CISOs know this and can deploy defenses appropri-ately. Technology is flawed, networks are porous, and all of it is powered by er-ror-prone humans. Those of us on the front lines must focus on defense tactics while we wait for the law to catch up. It’s a fight worth fighting, but we must act, knowing that cyber law utopia is just that—imagined.

About the AuthorBranden R. Williams, DBA, CISSP, CISM, is a seasoned infosec and pay-ments executive, ISSA Distinguished Fellow, and regularly assists top global firms with their information security and technology initiatives. Read his blog, buy his books, or reach him directly at http://www.brandenwilliams.com/.

Global Cyber EnforcementBy Branden R. Williams – ISSA Distinguished Fellow, North Texas Chapter

Herding Cats

6 – ISSA Journal | July 2017

Early in WWII, Winston Chur-chill, the UK Prime Minister, was faced with an invidious

decision. The UK had cracked a main German code via Ultra and now knew about an upcoming air raid on the town of Coventry. However, if the inhabitants were warned, the likelihood of the Ger-mans working out that their code had been cracked would be high, thus result-ing in severe damage to the war effort. The problem facing Churchill was an asymmetric one of balancing the lives of a town with the preservation of a critical national security source while the coun-try itself faced an existential threat.Although it has been disputed subse-quently whether Churchill did know beforehand of the raid since its German codename “Korn” only was apparently mentioned in Ultra intercepts, the prob-lem in its most generic sense describes an issue that in national security cyber circles is called equities. Equities in cy-berspace national security policy arise quite frequently. Possibly the most com-mon concerns zero-day attacks. For ex-ample, some of these attacks may have been discovered by agency black hats when developing new penetration meth-ods, and some may actually be in use for exploitation purposes with various operations. Disclosure and subsequent patching of the zero day may cause dis-ruption of the clandestine operation in progress, damage other sources, or de-stroy the investment in discovering or developing the zero day. The white hats, on the other hand, clearly want to know about the zero day imme-diately so they can patch their systems and prevent an attack or at least throw out entrenched penetrators. So, a ques-tion of equities arises: to disclose or not to disclose? The equity decider may have to weigh whether the secrecy of the use

of the zero day, or its potential use, out-weighs the benefit of patching systems against potential or ongoing attack. But the process of weighing benefits versus cost, in today’s context, carries far more levels of asymmetries in national policy than those that faced Churchill. It’s not just the compromise of other de-partment’s systems that may result by not disclosing the zero day and patch-ing, or even the measurement of indi-vidual lives lost; it can and does carry over whether there might be significant loss of intellectual property or other data that sends an industry bust but has little to do with traditional national se-curity interests. The damage in this context is not re-stricted to an event affecting a whole town as in WWII as cyberspace reach-es across the entire nation into every company and every home. So, which companies are to be sacrificed? Or more importantly, is this aspect even a factor in the consideration process? But equity deciders, which mainly comprise bu-reaucrats, are likely to be more used to matching complex questions of national security without third-party economic factors and therefore may seek to di-vorce from broader whole-of-nation and economic considerations.The infosec equities question raises some very interesting policy and tech-nical questions in today’s context where cyberspace has woven itself into the day-to-day existential makeup of a na-tion. The recent WikiLeaks regarding claimed CIA methods and the handling of zero-day techniques raises the level of the conversation to more tangible.One thing I believe but rest as a polemic claim: I am not convinced that the ex-tant equities methodology includes a representative set of factors for impact

and timing com-mensurate with the ubiquity of the con-tinually evolving In-ternet. I am not con-vinced that economic cost factors across the non-national security sector are suf-ficiently considered, and this disparity may become more pronounced as our economies become even more embed-ded and tied to the health of cyberspace. Safe, secure, and reliable places to do business in cyberspace are now essential across the entire well-being of a nation. It is easy for agency bureaucrats to forget you can’t have any serious national se-curity if you don’t have a strong, robust economy to pay for that security, includ-ing the bureaucrats’ pension plans. The United States built the most formidable military in the history of the world for its national security. But it couldn’t have done it without also building the most formidable economy in the history of the world to pay for it. And the fact that it still is the number one economy in the world makes for a strong national secu-rity foundation.Old methods of measuring equity in the national security arena for cyber based on the old crypto paradigms may no longer be appropriate—another com-plex shade of gray in the infosec space.

About the AuthorGray Hat is an ACM Distinguished En-gineer and principal inventor for several patented devices and major systems that have entered operational service with the US Armed Forces, as well as other national governments for high-grade in-formation security purposes. He can be contacted at msanderson@ieee.org.

Equities Equities

Gray Hat

By Mark Anderson – ISSA member, Australia Chapter

July 2017 | ISSA Journal – 7

T he political or cyber-po-litical land-

scape has changed dramatically over the past couple of years, driven mainly by the perceived threat that a country (or indeed its po-litical elite) is constantly under attack by one of the usual suspects, whether they be China, North Korea, or Russia.What is more clear is that hacking has become a tool of fear for both perpetra-tors and victims to drive and influence their political agendas. This is where things unfortunately start to go wrong.In the 2016 US election, cybersecurity featured more prominently than any other election race with the focus of both leading candidates taking aim at poor levels of personal security. How-ever, post-election analysis (via a leaked NSA document), points strongly to at-tempted hacking of the computers of US voting officials by Russia. Post-Trump election politics are now all about pro-paganda, driven through “fake news” and hacking allegedly by Russia.The theory of hacking elections by for-eign states is not just limited to the US. During the Brexit vote in 2016, it was suspected that a foreign government such as China or Russia may have been behind the collapse of a voting regis-tration website. A report by the Public Administration and Constitutional Affairs Committee said “Members of Parliament were concerned about al-legations of the spike in over 500,000 people trying to register to vote on the last day of the election being the result of a DDoS attack from botnets.” The tac-tics, techniques, and procedures used by the suspected threat actors mirror those

that are now known to have been used by Russia in the US election campaign.What happens though when a state is thought to be behind a mass global cy-ber attack such as WannaCry? Firstly, one could argue that the NSA has some accountability for an attack using the Eternal Blue exploit, but a recent state-ment from the NSA points to a mod-erate confidence that North Korea was behind the attack, more specifically the Reconnaissance General Bureau (RGB). The attribution to RGB was based upon code snippets and techniques used in attacks in Bangladesh in 2016 that were attributed to the Lazarus Group, which is thought to be sponsored by (or con-nected to) RGB.However, attribution models are flawed because it is easy to misdirect attribu-tion, as the recent Vault7 leak widely published on Wikileaks proves with UMBRAGE, which cites:

“The CIA Remote Devices Branch’s UMBRAGE group collects and main-tains a substantial library of attack techniques stolen from malware pro-duced from other states including the Russian Federation.With UMBRAGE and related proj-ects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving be-hind the ‘fingerprints’ of the groups that the attack techniques were stolen from.”

This proves that attribution can be ma-nipulated to drive political agenda. It is all too easy to attribute an attack to a nation state based up known TTPs (tactics, techniques, and procedures).As cybersecurity professionals we have a responsibility as a community to en-

sure we share intelligence more to help cut through the “fake news” agenda and deception tactics used by nation states.You only have to turn to Twitter to un-derstand that there is more that we can all do as a community, for example, where lines are firmly drawn on the at-tribution of the WannaCry outbreak. We should collaborate more globally as an industry and not exclude talented professionals wherever they may come from, especially China, Russia, and dare I say it–North Korea. Information secu-rity is all about being inclusive. If the cy-ber criminals can collaborate; why can’t we?Which brings me to my final point: there have been great strides in the pri-vate sector working in collaboration with governments, but more education is needed at the politician level, espe-cially on the importance and benefits of encryption over the risks of mass surveillance through backdoors, as an example.It is our role to ensure that as an indus-try we drive home the message of pro-tecting critical assets, data, and systems and ensuring that the message is not lost in propaganda…from Russia!

About the AuthorStuart Pecks heads up Cyber Security Strategy for ZeroDayLab. He regularly delivers threat briefings to FTSE-lev-el executives and directors throughout the UK and Europe. Stuart’s key areas of expertise include the dark web, social engineering, malware and ransomware analysis and trends, threat hunting, OSINT, HUMINT, and attacker recon techniques. He may be reached at speck@zerodaylab.com.

Cybersecurity in World PoliticsBy Stuart Peck

Open ForumThe Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to

the ISSA community. The views expressed in this column are the author’s and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.

8 – ISSA Journal | July 2017

Security in the NewsNews That You Can Use…Compiled by Joel Weise – ISSA Distinguished Fellow, Vancouver, BC, Chapter and Kris Tanaka – ISSA member, Portland Chapter

The Brain As Computer: Bad at Math, Good at Everything Elsehttp://spectrum.ieee.org/computing/hardware/the-brain-as-computer-bad-at-math-good-at-everything-else

I’m a big fan of mimicking human systems and applying those characteristics and properties to design and architecture, especially in the security space. Modeling computers based upon the human brain seems, well, natural. This is an excellent article—well worth the read. One interesting observation noted is the differ-ence between a computer and the human brain. A computer maintains a separation between memory and logic, while a human brain does not. Imagine the performance impact if computing systems could do the same?

How Tech Sleuths Cracked the Mysterious Codes That Turns Your Printer into a Spying Toolhttps://www.washingtonpost.com/news/morning-mix/wp/2017/06/09/how-tech-sleuths-cracked-the-mysterious-code-that-turns-your-printer-into-a-spying-tool/?utm_term=.f8461c32d345

This may be old news to some, but it is making headlines again because of the recent arrest of Reality Leigh Winner, who allegedly leaked classified NSA information. Apparently the secret document was disclosed by using a printed paper report. For those considering “sharing” confidential, printed information (not recommended) it may be wise to review what the Electronic Frontier Foundation discusses here. Namely, it is pretty easy to identify the specific printer that produces documents. I imagine there are ways to mask the yellow dot markings described in the article. This sounds like a potential high school science project.

Federal Contract Busted for Leaking Top Secret NSA Docs on Russian Hackinghttp://nypost.com/2017/06/05/top-secret-nsa-doc-details-russian-election-hacking-effort-report/

Here is a good overview of the alleged release of the classified NSA report that detailed how Russian mil-itary hackers targeted US voting systems. The most interesting point is that “operatives from the Russian… GRU are said to have targeted employees at a US election software company.” The underlying message to those in the information security space is stay aware because you may be a target.

Russian Cyber Hacks on US Electoral System Far Wider Than Previously Knownhttps://www.bloomberg.com/news/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections

More on the subject from Bloomberg. It seems Russia orchestrated efforts to attack voting systems in var-ious states. Is this shocking news? Probably not. But what is surprising is that this article, as well as most other articles on the subject, neglects to discuss what can be done to address vulnerabilities in the disparate US voting systems.

Hack Jobhttps://www.foreignaffairs.com/reviews/review-essay/2017-04-17/hack-job

Short and to the point. The key takeaway is that there is much uncertainly, and the key question is How does a government respond to an invisible attacker, especially without clear rules of engagement? The article also mentions two books that may be worth checking out: Dark Territory by Fred Kaplan and The Hacked World Order by Adam Segal.

Top Secret NSA Report Details Russian Hacking Effort Days before 2016 Electionhttps://theintercept.com/2017/06/05/top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/

And here’s more from The Intercept. I don’t think it is a question of whether or not Russia hacked the US election, but rather to what extent. Clearly the Russians were targeting the US election infrastructure at multiple levels.

Cyber Attack on UK Parliament: Russia Is Suspected Culprithttps://www.theguardian.com/politics/2017/jun/25/cyber-attack-on-uk-parliament-russia-is-suspected-culprit

It appears that the US is not the only target for Russian hackers. Although investigations are ongoing, pre-liminary results reveal that weak passwords enabled hackers to gain access to email accounts. This should be a good lesson for everyone—go back to the basics and immediately strengthen your password defenses.

Hackers, Beware! Girl Scouts to Offer Cybersecurity Badgeshttps://www.usatoday.com/story/tech/nation-now/2017/06/22/girl-scouts-offer-cybersecurity-badges/418443001/

Is this one of the solutions that we have been looking for to close the cybersecurity skills gap? Only time will tell. At the very least, we will have yet another avenue to communicate, promote, and educate the next generation regarding future career opportunities, and more importantly, how to be safe online.

US Looks at Extending Laptop Ban to All Flightshttps://www.ft.com/content/a5624c3c-3bd7-11e7-821a-6027b8a20f23

This sounds like yet another case of “Security Theater.” What exactly is the threat from a laptop located in the cabin vs. in the luggage compartment? If an explosive device could be incorporated into a laptop, I have to believe that anyone designing such a weapon could also figure out how to remotely detonate it. Additional commentary from Bruce Schneier: http://www.cnn.com/2017/05/16/opinions/extension-laptop-ban-opin-ion-schneier/index.htm

July 2017 | ISSA Journal – 9

Association News

ISSA CISO Virtual Mentoring SeriesISSA.org => Learn => Web Events => CISO Mentoring We-binar Series

L EARN FROM THE EXPERTS! If you’re seeking a ca-reer in cybersecurity and are on the path to becoming a CISO, check out following as well as the 20+ webi-

nars from April 2015 through April 2017!July 13, 2017- 1:00 pm - 2:00 pm Eastern. ISSA CISO Men-toring Series

the EAB CornerDonn Parker Retires from the Board

Longtime information se-curity pioneer and EAB board member Donn

Parker—ISSA Distinguished Fellow, Silicon Valley Chapter—has retired from the board. We thank him for his long service to the Journal, ISSA, and the infosec community.

Meet the other board members: ISSA.org => Learn => Journal

Donn Parker

ISSA Partners with ASIS 2017

ISSA and ASIS International (ASIS), the leading associa-tion for security management professionals, have formed an event partnership that will advance our shared mis-

sions—to heighten the knowledge, skills, and professional growth of security professionals across the globe.For 2017, ISSA will be fully integrated into all facets of ASIS International 63rd Annual Seminar and Exhibits (ASIS 2017), convening September 25-28 in Dallas, Texas. In addition to developing two information security tracks for the education program, ISSA will showcase cybersecurity-focused solutions providers on the ASIS exhibit floor, and will host organization-al meetings and social events for their members at the event.

ASIS 2017 ISSA Member DiscountsISSA Member Full: $225 off – IS17FULL 

ISSA Single Day: $145 off – IS17SING

Learn more about the event at securityexpo.asisonline.org and use the codes above to redeem your member discount.

Financial Sector IT Security Conference and ExhibitionNovember 14-15, 2017 – Istanbul, TurkeyIFINSEC is a global, niche, and dedicat-ed conference focusing on IT securi-ty technologies and solutions for the financial sector. IT security, in-formation security, network secu-rity, big data security, application security, web security, identity and access management, end user security, database security, mobile security, cloud security, and IT risk management are key topics of the conference.

The IFINSEC Conference presents a perfect platform to introduce and demonstrate IT security solutions in-cluding platform, system, software, hardware, services, and consultancy and is one of the most important con-ferences in the EMEA region for the financial sector. An intensive participation is expected to IFINSEC 2017 Conference from the EMEA region and other parts of the world.

English or Turkish will be the languages of the confer-ence presentations. Simultaneous translation to Turkish or English will be available. There will be an exhibition area at where sponsor companies will introduce their solutions to the visitors.

For more information about IFINSEC Conference, please visit event website www.ifinsec.com or contact info@ifinsec.com.

CSCL Pre-Professional Virtual Meet-Ups

S o, you think you want to work in cybersecurity? Not sure which way to go? Not sure if you’re doing all you need to do to be successful? Check out

Pre-Professional Virtual Meet-Ups to help guide you through the maze of cybersecurity.

LOOKING AHEAD…September 21, 2017: 11:00 am -- 12:30 pm ET. A Day in the Life of an Ethical HackerEverybody wants to be an ethical hacker. Find out what it is really like – the pitfalls and the glory. It’s not as easy as you’d think!

Don’t miss out on the 20+ archived meet-ups:ISSA.org => Learn => Web Events => CSCL Meet-Ups

10 – ISSA Journal | July 2017

At the ISSA 9th Security Summit hosted by the ISSA Los Angeles Chapter, conference chair Yev Avidon presented a $500 check to

representatives from the CyberPatriot national final-ist winners. CyberPatriot is an outstanding program focused on getting students into cybersecurity and STEM fields—they are our future national defenders. I asked their teacher, Hassan Twiet, to provide some background.

So what was so special about these young people? Six cyber teams from Peninsula High School (PHS) in Southern California competed for the 12 covet-ed slots in the open high school division of the Cy-berPatriot national finals. PHS teams have made it five times to the national finals and in 2014 we were awarded third place.What is the composition of your teams? The teams are very diverse ethnically and academ-ically. The past three years we had an all-girls team to encourage female students to seek careers in cyberse-curity. Most students are from our computer science AP classes. I am really impressed by them: their hard work, effort, teamwork, and communication with one another helped them achieve something that is not only an aca-demic success but important for our country.Hassan Twiet Palos Verdes Peninsula High School 

I want to thank Hassan Twiet for his efforts with his students, ISSA Los Angeles Chapter for their support, and encourage other chapters to likewise become involved with raising up the next generation of cybersecurity professionals.In Denver last month at the Rocky Mountain Information Security Summit, I found many ISSA members who had this same enthusiasm for the CyberPatriot program. Some I spoke with were already thinking of new ways to support the pro-gram as well.It is a true blessing to see firsthand our future professionals being nurtured by their teachers and by ISSA members. Any donations of tools, equipment, and free training is encour-aged as it is something the students have asked for. Keep moving forward Cyber Patriots! They are truly a testament to our future!Andrea Hoy, Past ISSA International President, Distinguished Fellow, Orange County Chapter, Ventura County Chapter, and soon the new British Virgin Islands Chapter

CyberPatriots The Next Generation of Cybersecurity Professionals

What Is CyberPatriot?CyberPatriot is the  national youth cyber education pro-gram created by the Air Force Association (AFA) to inspire K-12  students toward careers in cybersecurity  or other sci-ence, technology, engineering, and mathematics (STEM) dis-ciplines critical to our nation’s future.  The three CyberPatriot programs are the National Youth Cyber Defense Competition, AFA Cybercamps, and the Ele-mentary School Cyber Education Initiative.The National Youth Cyber Defense Competition puts teams of high school and middle school students in the position of newly hired IT professionals tasked with managing the network of a small company. In the rounds of competition, teams are given a set of virtual images that represent op-erating systems and are tasked with finding cybersecurity vulnerabilities within the images and hardening the system while maintaining critical services.  Teams compete for the top placement within their state and region, and the top teams in the nation earn all-expenses paid trips to Baltimore, MD, for the National Finals Competition, where they can earn national recognition and scholarship money. The first competition was held in 2009.Some of the sponsors are Northrop Grumman Foundation, AT&T, CISCO, US Department of Homeland Security, Face-book, Norton, Air Force Reserve, and Air Force STEM.AFA’s CyberPatriot: www.uscyberpatriot.org.

Pictured on May 19th with the ISSA LA board: Richard Greenberg, Yev Avidon, Sasha Schleumer, Andrea Hoy (past international president), Dave Wettenstein, Gary Landau,

and Sean Martin; CyberPatriots representing Peninsula’s winning team: Robert Peltekov, Josie Fleming, Conner Rehm, Phoenix Stouts.

July 2017 | ISSA Journal – 11

ISSA.org => Learn => CISO Executive Forum

T he CISO Executive Forum is a peer-to-peer event. The unique strength of this event is that members can feel free to share concerns, successes, and feedback in a

peer-only environment. Membership is by invitation only and subject to approval. Membership criteria will act as a guideline for approval. Las Vegas, NV – July 23-24, 2017

Security Awareness and Training—Enlisting Your Entire Workforce into Your Security Team

San Diego, CA – October 11-12, 2017Payment Strategies: The Game Has Changed

For information on sponsorship opportunities, contact Monique dela Cruz mdelacruz@issa.org.

Elevate Your CareerISSA.org => Learn => Members => Author Support

As a security professional, you have unique and valu-able experiences, insights, and information that could positively impact infosec practitioners around

the world. Effective writing is an essential skill for achieving your career goals. Do you have an article in mind? Would you find it helpful to bounce your ideas off of other members who have been published, and get their feedback on your drafts?The Journal’s Editorial Advisory Board will match you with an experienced author as a resource to help you practice and refine your skills, communicate your knowledge, and raise your visibility and stature. Join Friends of Authors today, and let us know your interests and goals.

Special Interest Group WebinarsISSA.org => Learn => Special Interest GroupsWant to hear more from ISSA’s Special Interest Groups? Join free.Women in Security SIGJuly 10, 2017: 4:00-5:00 PM Eastern. Technology Lead-ership Series - Part III

Here Come the Regulators 2-Hour Live Event: Tuesday, July 25, 2017

9 a.m. US-Pacific/ 12 noon US-Eastern/ 5 p.m. London

As the face of the world changes once again and governmental sanctions loom on the horizon, what happens with global data protection levels when one country decides to allow or disallow technology to cross its borders? For example, how will Brexit impact the global technology rules?

Looking ahead to next year, how much of an impact will the sweeping new requirements of the EU General Data Protection Regulation (EU GDPR) have on the rest of the world? We bring in regulatory experts to take on this increasingly daunting and international issue.

REGISTER: www.issa.org/?page=WebConferences

For more information on this or other webinars:ISSA.org => Learn => Web Events => International Web Conferences

ISSA and ESG 2016 Member Survey

Findings from first global survey of cybersecurity pro-fessionals show 65 percent struggle to define their ca-reer path, while 46 percent are

solicited for new jobs at least once per week. Learn the top five tips for taking control of your cybersecurity career lifecycle.PART I: The State of Cyber Security Professional Careers PART II: Through the Eyes of Cyber Security Professionals

#ISSAConf

ISSA 2017 INTERNATIONAL CONFERENCE

DIGITAL DANGER ZONE

October 9 -11, 2017 San Diego, California

REGISTER ONLINE:www.iplanevents.com/ISSA2017

Registration before July 15, 2017ISSA member rate: $399 | Non-member rate: $798

Student rate: $150

Registration July 15, 2017 – October 8, 2017ISSA member rate: $499 | Non-member rate: $898

Student rate: $150

On Site Rate ISSA member rate: $549 | Non-member rate: $998

Student rate: $150

For information on volunteer opportunities which qualify for a discounted or complimentary registration, contact Leah Lewis.

12 – ISSA Journal | July 2017

As the CISO of what was at the time the sixth larg-est bank in the US, and then the largest online marketplace in the world, I had the benefit of being

able to compare and contrast attacks and attackers in two of the highest cybersecurity risk environments in the world. It quickly became clear that we were dealing with many of the same adversaries. It also became apparent that attacks against one sector were soon modified and used to attack companies in another sector. That is even more true today. Just a few years ago, it would be a week or more before a new attack was seen by a potential second victim. Today the Ver-izon 2017 Data Breach Investigations Report clearly shows that new attacks are directed at dozens of companies within the first 24 hours and hundreds within a few days [1]. A few years ago, visibility into the threat environment was essential if cybersecurity was to have any hope of being preventive. To-day, visibility into what is coming is critical to simply staying alive. We must get past the obstacles and start exchanging actionable incident data both within and across sectors.Meanwhile, our adversaries are collaborating very effectively. In fact 25 percent of cyber attackers claim the number one reason for their success is increased collaboration [2]. We (companies/organizations) are all working in silos—either alone or in sector-specific groups. We have limited to no visi-bility into what is happening across sectors. Without fast and effective intelligence exchange, it may take days and possibly weeks to find out what happened in another location or in an-other sector. By then it will be too late. Experience shows that attacks move from sector to sector, as well as up and down the sector chain—successfully victimizing hundreds if not thou-sands of companies with each attack. And yet we all try to “fight the good fight” on our own. The result? The advantage goes to the adversary. And it’s getting worse every day. That has to change. Now.One of the questions I was frequently asked as a CISO is “What keeps you awake at night?” It wasn’t any specific attack or group. It was wondering if I had spent my limited resources (people, money, and tools) in the right places. The worst ques-tion you can be asked to answer as a CISO is “How could this happen? What did you do with all that money I gave you?” Knowing where your greatest exposures are and will likely be allows you to spend money fixing what is most likely to bite you. Dan Geer’s comment that “The bad guys only have to find one hole they can exploit. You (the CISO) have to find and fix all of them” is even more true today. But trying to find and fix everything is not a sustainable operating model and it certainly isn’t cost effective. You need to focus on the things

most likely to do you harm so you can allocate your limited resources effectively. You can’t do that without insight into what the threat picture looks like—what is coming, who and what is being targeted, etc. But you can leverage a collabora-tive incident exchange to know what to look for and to know what to do once you find it. Collaborating on intelligence (and solutions) can make your team far more effective than they can be working alone [3].I still hear some CISOs saying “It’s only a matter of time until you are breached. The best you can do is be prepared to re-spond effectively when something bad occurs.” I totally agree and disagree with that statement. You absolutely must have the ability to respond effectively when an incident occurs. Re-sponding effectively means being able to recognize an attack early enough so you can stop it before significant damage oc-curs [4]. You need intel about what is happening today to do that. Not what happened last week. I disagree with the statement because it is effectively giving up and ceding the advantage to the adversary. That is a losing proposition. The situation will only get worse as time goes on. We cannot, should not, and must not surrender to the bad guys. We can and must take back the advantage. To prevail we need threat intelligence exchange providing actionable and contextual intelligence.

How?You can easily be overwhelmed by external intelligence that is not germane to you. Use a system that allows for the easy consump-tion of data surfaced by your SIEMs and ticketing systems. It is best to correlate your own data first before rolling in ad-ditional threat reporting.Correlate this data with exter-nal data streams that provide the greatest value to your op-erators. Ensure your system can handle both structured (Structured Threat I n f o r m a t i o n Expression [STIX]) and u n s t r u c -tured data. M u l t i p l e

Starting the Conversation…A CISO’s Perspective on Threat IntelligenceBy Dave Cullinane – ISSA Fellow, Silicon Valley Chapter

July 2017 | ISSA Journal – 13Dave Cullinane, ISSA International President 2002-2006

{

input formats must be supported to allow effective collabo-ration and exchange. That is the only way to get a clear pic-ture of your own data as well as what is going on around you, based on proprietary threat feeds or data feeds exchanged by other companies.You should control what is submitted so you can be comfort-able that it is truly shared without attribution and you are not relying on a third party to redact materials for you. Ensure your system allows you to easily redact and exchange data with others without attribution. A system that allows you to understand what sector is reporting an incident is import-ant as it gives you an indication of the risk that the attack could be directed at you. The system should allow the ability to exchange data with multiple parties with different levels of detail. For example, you might want to share more data with some trusted parties in a private exchange and share a more sanitized version with a wider community. Ideally, the system should allow you to preview how your event data correlates with others before you share. This means that correlation must be fast and effective. The system should allow access to the substance behind correlated IOCs (indica-tors of compromise).Select a system that allows you to fold in your supply chain. Many attacks against larger enterprises percolate up from small and medium-size businesses [5].Finally, you need to be able to collaborate in real time with other parties through tools such as instant chat. An active ex-

change of events will prompt questions and a desire for more specific conversations between operators.

How much should I pay?There is a great deal of concern these days about security be-coming a black hole relative to expenditures [6]. Will the next product/service I purchase return value commensurate with what it is costing me, or will it simply add to the complexity of the protection environment I already have in place? The concern is valid. Our budgets will always be limited. That is a simple fact of life. As you will see in figure 1, cyber attacks are increasing, security spend is increasing, and the cost to your company of a successful attack is increasing. At the same time the cost for the adversary to attack us is dropping dramati-cally.The cost of threat intelligence can be significant. The cost of the cyber incident exchange I’ve described above is not [7]. And it can dramatically raise the cost of executing a success-ful attack for the adversary. We truly can change the balance of power and give it back to the good guys. We must—or the cycle you see depicted in figure 1 will only get worse. Warren Buffet said earlier this year that cybersecurity is the greatest challenge to mankind today [8]. An attitude of going it alone is doomed to fail. The ability to quickly and anon-ymously exchange incident data and collaborate effectively is critical to adequately protect your company/organization today and meet your responsibility to exercise due care in the protection of the entity’s assets. We need to be able to quickly and effectively exchange actionable intelligence.

FIgure 1 – The shifting cyber battlefield [source TruSTAR]

14 – ISSA Journal | July 2017

{

My perspectives on threat intelligence?It is critical to protecting your company/organization today. It will be even more so tomorrow. We can and must break down barriers to incident intelligence exchange and collaboration. Provable anonymity is critical to removing legal concerns. We need to break down the stove pipes and other obstacles and make it happen.Intelligence can be incredibly expensive. It need not be. Ex-changing incident intelligence with others within and across sectors will enable you to know what is coming and what to do about it in time to prevent bad things from happening. Security is a risk management function. Our job is to reduce security risk to the company. If I invest $200K and stop five attacks from being successful at $4M each, I have effectively prevented $20M in damage through my expenditure. The risk reduction ROI is $100 for every dollar invested. (Your CFO will likely be happy with $10 in risk reduction for every dollar spent.) Are they soft numbers? Sure they are. But the CFO ap-proves business and marketing initiatives all day long that are no more specific. And with the information from the incident exchange you can specifically show him or her the attacks you stopped from impacting the company.It is time to start working together to give the advantage back to the good guys and impact the ability of the adversary to monetize its attacks. It will lead to a far better tomorrow.

References1. “2017 Data Breach Investigations Report 10th Edition,”

Verizon, April 27, 2017 – https://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investiga-tions-Report.pdf.

2. “Flipping the Economics of Attacks,” Ponemon & Palo Alto Networks, January, 2016 – https://www.paloaltonetworks.com/content/dam/creative-assets/campaigns/corporate/ponemon-report/web-assets/PAN_Ponemon_Report.pdf.

3. Chris Johnson, et al, “NIST Special Publication 800-150 Guide to Cyber Threat Information Sharing,” NIST, Octo-ber 2016 – http://nvlpubs.nist.gov/nistpubs/SpecialPublica-tions/NIST.SP.800-150.pdf.

4. Dan Chenok and John Lainhart, “The Key to Cost-Effective Cybersecurity,” FCW, March 27, 2014 – https://fcw.com/articles/2014/03/27/the-key-to-cost-effective-cybersecurity.aspx.

5. Constance Gustke, Warning: “A Wave of New Viruses Is Targeting Small Businesses,” CNBC, June 28, 2016 – http://www.cnbc.com/2016/06/27/warning-a-wave-of-new-virus-es-is-targeting-small-businesses.html.

6. Jonathan Vanian, “Here’s How Much Businesses World-wide Will Spend on Cybersecurity by 2020,” October 12, 2016 – http://fortune.com/2016/10/12/cybersecurity-glob-al-spending/.

7. “Cloud CISC: Cyber Incident Exchange and Collaboration,” TruSTAR Technology, February 2016 – .

8. Jake Olcott, “Warren Buffett’s Cybersecurity Wake-Up Call — Are We Listening?” The Hill, May 11, 2017 – http://thehill.com/blogs/pundits-blog/technology/333026-war-ren-buffetts-cybersecurity-wake-up-call-are-we-listening.

About the AuthorDave Cullinane served for 5+ years as the CISO and VP of Global Fraud, Risk, and Security for eBay. Prior to joining eBay, Dave was the CISO for the sixth largest bank in the United States and the largest thrift in the world. He has more than 40 years of professional security experience and may be reached at davidmcullinane@gmail.com.

July 2017 | ISSA Journal – 15

Mobile Device ePubs• ePubs are scalable

to any size device: iPad/tablet provide an excellent user experience

• You’ll need an ePub reader such as iBooks for iOS devices

iPad/tablet

iPhone

NOTE: choose ePub for Android & iOS; Mobi for Kindles

The ISSA Journal on the Go! Have you explored the versions for phones and tablets?

Go to the Journal home page and choose “ePub” or ”Mobi.”

Take them with you and read anywhere, anytime…

ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Cryptographic Architectures: Missing in Action

16 – ISSA Journal | July 2017

Every development project has various disciplines in-terwoven to achieve its goals. Project managers strive to keep schedules on target and within budget. Busi-

ness analysts help define requirements and work with soft-ware developers to test solutions. Network engineers design and implement the hardware and relevant operating systems. Administrators install and maintain the associated software and configuration files. Information security professionals assist the project teams with ensuring compliance to the or-ganization’s and appropriate industry standards, reviewing security controls, and assessing the associated risks with fraud managers and business analysts. But cryptography and key management, a critical aspect, is often overlooked. Regardless of the development methodologies used within the project, there are typical artifacts generated by the var-ious teams. Documenting network topology, information technology, and system architectures are common project ar-tifacts. For example, figure 1 illustrates a possible application architecture. While some network architects might call this “a cartoon” versus a more technical network diagram, none-theless it provides an overview for team discussion purposes. The idea for this type of diagram is to avoid what some might call “getting lost in the weeds” and yet give a synopsis of the

application flows, data storage, and user communities. For this scenario, users access an online application via a web-server, which is connected to a database server managed by a file server with system-wide administrative access via an admin server.

Application architecturesFigure 1 shows a logical information flow from left to right. Customers interface to an online webserver using a computer or mobile browser, or a mobile app. From a business perspec-tive the web service is presumed to be agnostic with regards to the user experience; however, the information and proto-cols between the various client endpoints is often optimized and customized. Web and mobile browsers need formatting information (e.g., colors, fonts, images) in addition to the ac-tual displayed data, while mobile apps are preformatted and only need the display data. An information security profes-sion needs to keep those types of technology facts in mind when discussing these information flows. Mobile apps can be embedded with specific security credentials (e.g., cryp-tographic keys, digital certificates) and store other creden-tials (e.g., passwords) within a secure element. Conversely, browsers can only rely on generic digital certificates and must

Documenting network topology, information technology, and system architectures are common development methods. However, cryptographic architectures are often ignored due to lack of knowledge or overlooked to avoid complexities. This article discusses the critical importance of identifying and understanding the cryptographic architectures.

By Jeff Stapleton – ISSA member, St. Louis Chapter

Cryptographic Architectures MISSING IN ACTION

download specific credentials or have users enter passwords. The webserver and user endpoints represent the application front-end process. Figure 1 also depicts back-end processing consisting of the da-tabase server and the file server. The webserver interfaces to the database server. Client requests are received from the endpoints to the webserver, submitted to the database server by the webserver, information is returned from the database server to the webserver, and responses sent to the clients by the webserver. Further, data updates and configuration parameters are sent to the database server from the file server. All of the front-end and back-end servers are managed by various administrators. Servers often authenti-cate themselves to each other and sometimes communicate using security protocols such as Secure Socket Layer1 (SSL), Transport Layer Security2 (TLS), or Internet Protocol Secu-rity3 (IPsec). Figure 1 further shows administrative (admin) process-ing consisting of the admin server and admin workstation. The admin server communicates to the web, database, and file servers. The various application, database, and system administrators use the admin workstation. Administrators

1 RFC 6101 The Secure Sockets Layer (SSL) Protocol Version 3.0, August 2011 – https://www.rfc-editor.org/info/rfc6101.

2 RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2, August 2008 – https://www.rfc-editor.org/info/rfc5246.

3 RFC 4301 Security Architecture for the Internet Protocol, December 2005 –https://www.rfc-editor.org/info/rfc4301.

often authenticate to servers using Secure Shell4 (SSH) with passwords or digital signatures. Notable the diagram only shows a single client endpoint for each type, a single server for each type, and a single admin workstation. However an information security professional needs to keep in mind that the actual implementation would include multiple servers likely deployed in multiple data centers. Further, there would be multiple endpoint types and multiple admin workstations. While the application architecture shown in figure 1 might be a simplistic overview, it does provide an information secu-rity professional a basis for assessing risks. For example, the front-end security controls might include mutual authentica-tion between the clients and the webserver. The browsers (or mobile app) must be able to accept the webserver certificate by sharing a common public key infrastructure5 (PKI). Like-wise, the webserver must be able to accept the client certifi-

4 RFC 4252 The Secure Shell (SSH) Authentication Protocol, January 2006 – https://www.rfc-editor.org/info/rfc4252.

5 J. J. Stapleton and W. Clay Epstein, Security without Obscurity: A Guide to PKI Operations, CRC Press, Taylor & Francis Group, ISBN 9781498707473 - CAT# K24892, February 2016

Figure 1 – Application architecture

July 2017 | ISSA Journal – 17

Cryptographic Architectures: Missing in Action | Jeff Stapleton

www.issa.org

l

l

l

l

l

Members Join ISSA to:Earn CPEs through Conferences and Education

Network with Industry Leaders

Advance their Careers

Attend Chapter Events to Meet Local Colleagues

Become part of Special Interest Groups (SIGs) that focus on particular topics

Join Today: www.issa.org/joinRegular Membership $95* (+Chapter Dues: $0-$35*)

CISO Executive Membership $995 (Includes Quarterly Forums)

*US Dollars /Year

behind firewalls and a demili-tarize zone (DMZ) would have problems accessing a certificate revocation list7 (CRL) or an on-line certificate status protocol8 (OCSP) responder on the In-ternet. Database encryption is relatively new technology such that no industry standards yet exist with vendor proprietary solutions. Further, the admin security controls should cover separation of duties, adminis-trator multi-factor authentica-tion, authorization, and net-work security including SSH asymmetric keys. To address these issues, the information

security professional needs a more detailed network architec-ture shown in figure 2.

Network architecturesFigure 2 shows two Internet service providers (ISP1 and ISP2) connecting to a network deployed in two data centers (data center A and data center B) with multiple layers. Both data centers have an external router, which allows each ISP to cross connect to each other. The first and second firewalls represent a DMZ which protects the internal network from external connections. Another router within the DMZ routes network traffic to the web service but is also connected to a switch which replicates the network traffic to a monitoring server. Note that the monitoring servers were not includ-ed in the previous application architecture. It is a common situation that often one team or another is unaware of the overall design such that some information is lacking in the documentation. This knowledge gap is demonstrated by the presence of the switch acting as a data tap for the monitoring servers. Figure 2 also depicts the internal network consisting of the database and file servers duplicated in both data centers. The internal networks have another cross connection allowing the database servers and the file servers to synchronize infor-mation. Note that data center A also shows an admin server behind an internal firewall. This type of network architecture is often called a secure zone; it is essentially a means to isolate a critical system such as the admin server. However, also note that the admin workstation connects to the internal network and so must connect to the admin server through the internal firewall. This is another example of a knowledge gap that is undocumented in the application architecture. While the network architecture shown in figure 2 provides a more realistic viewpoint, it also offers an information securi-

7 RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, May 2008 – https://www.rfc-editor.org/info/rfc5280.

8 RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP, June 2013 – https://www.rfc-editor.org/info/rfc6960.

cates by sharing a common PKI. However, the two PKI might not be the same; thus each PKI has a different trust anchor, also called a root certificate authority (CA). Likely, the web-server would use a publicly available PKI to enable as many browsers as possible to accept its certificate. Conversely, the webserver might use a private PKI for the mobile app since the mobile app is specific to the webserver. Similarly the mo-bile app might use the same private PKI in order for the web-server to accept its client certificate. However, browsers might use a public PKI or a private PKI depending on the applica-tion business requirements. As another example, the back-end controls might address network security between the webserver and the other serv-ers, access controls for the database and file servers, and data-base encryption. Basically the security controls for confiden-tiality, authentication, and integrity6 need to be considered. Secure connections such as TLS or IPsec between the vari-ous servers would likely use a private PKI but could employ a public PKI. However, servers running on an internal network

6 J. J. Stapleton, Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity, CRC Press, Taylor & Francis Group, ISBN 9781466592148 - CAT# K20548, May 2014

Figure 2 – Network architecture

18 – ISSA Journal | July 2017

Cryptographic Architectures: Missing in Action | Jeff Stapleton

Stop and Take a Look at our

NEW EDUCATION LINEUP!

Earn up to 30 CPEs

Produced in collaboration with

FREE Expo Floor

Education

Trending Topics

Innovative Formats

180+ Sessions

securityexpo.org/ISSARegister by August 11 and SAVE!

Active Shooter

Business Operations

Crime/Loss Prevention

Critical Infrastructure

Cyber Security

Current Events

ESRM

Information Security

Terrorism

Workplace Violence

...just to name a few!

16 Education Tracks Including:

tificate and a private key. The certificates are used with the TLS protocol to establish session keys between the communicating parties. Thus, the web browser, the mobile browser, or the mobile app can establish a TLS connection to the web-server. Similarly, the webserver can estab-lish a TLS connection

to the database server and the admin server can establish a TLS connection to the various admin workstations. Further, each admin workstation has an SSH private key used for dig-ital signature authentication, and the webservers, database servers, and file servers have the corresponding SSH public key to verify the digital signature. Also shown is a database encryption key. Thus, reusing the application architecture helps document some of the keys, but it does not provide net-work architecture or cryptographic protocol information. Figure 4 is a duplicate of the network architecture from figure 2 with cryptographic information added to the diagram. The various TLS certificates and private keys are shown for the webservers, the monitoring servers, the database servers, the admin server, and the admin workstations. The SSH public keys are shown on the webservers, the monitoring servers, the database servers, and the file servers with the correspond-ing SSH private keys on the admin workstations. The IPsec private/public key pairs are also shown on the external rout-ers for the cross connections between the two ISPs. Howev-er, what is not shown is the database encryption keys since they are not part of the network topology and the TLS client

ty professional with more information for further assessing risks. For example, the network traffic on the webservers is transitory, but the monitoring servers represent a previous-ly unknown permanent data store that retains copies of the network traffic. The current design shows the monitor server deployed in the DMZ and not on the internal network. Essen-tially the complete history of the webserver traffic is one fire-wall away from the Internet. Further, in order for the monitor server to access the encrypted webserver traffic, the webserv-er TLS keys are duplicated on the monitor server so the key negotiation can be replicated and the session keys can be de-termined. However, the security professional might consider running the monitor server inside the DMZ an unacceptable risk. Conversely, the security professional would consider the ad-min server running in its own secure zone behind an internal firewall an acceptable lower risk. However, based on the net-work diagram the security professional has no information about admin access, separation of duties, approval proce-dures, or other management processes. Further, the network diagram does not provide any information about cryptog-raphy or key management so a cryptographic architecture is needed. But the nature of the cryptographic architecture might be adding cryptography and key management informa-tion to the existing application or network diagrams, or devel-oping a new diagram specifical-ly for the cryptographic archi-tecture.

Cryptographic architecturesFigure 3 is a duplicate of the ap-plication architecture from fig-ure 1 with cryptographic infor-mation added to the diagram. The web browsers, mobile app, webserver, and database server are shown with a digital cer-

Figure 3 – Application with crypto architecture

Figure 4 – Network with crypto architecture

20 – ISSA Journal | July 2017

Cryptographic Architectures: Missing in Action | Jeff Stapleton

Figure 5 also shows an Internet Protocol Security (IPsec) con-nection between the external routers. As discussed for figure 2 this allows a cross connection between the two data centers. IPsec allows the routers to au-thenticate each other over an encrypted tunnel. However, IPsec requires that both routers have asymmetric keys consist-ing of a private key and a public key, but depending on the key management schema used, a

digital certificate might not be employed. The information se-curity professional needs to understand the key management method supported by the routers. Figure 5 shows the webserver keys duplicated on the moni-toring server. As discussed for figure 2 the switch in the DMZ duplicates the network traffic. Because the monitor server shares the same TLS keys, it can renegotiate the same TLS session keys and decrypt the traffic. The monitoring servers can then data mine the network traffic for customer inter-actions, response times, and clicks. As further discussed for

certificates since the browsers and mobile devices are not in-cluded in the network diagram. Thus, reusing the network architecture helps document some of the keys, but it does not provide application architecture or cryptographic protocol information. Figure 5 is the cryptographic architecture, a separate dia-gram that borrows relevant data from the application and network architectures and provides cryptographic informa-tion including the various cryptographic protocols (IPsec, HTTPS, TLS, SSH), PKI, and database encryption. Database encryption solutions often use a database encryption key in memory but attempt to avoid storing the cleartext key using a variety of obfuscation and key management methods in-cluding cryptographic hardware security modules9 (HSM). However, many implementations rely on password-based key derivation functions10 (PBKDF) or misuse encrypted data as a cryptographic key. Thus, the security professional needs to assess the database encryption key management11 methodol-ogy. Figure 5 shows secured Hypertext Transfer Protocol (HTTPS) between public devices and the webserver. Thus the webserv-er has an asymmetric key pair consisting of a private key and a public key certificate. Because any public device can connect to the webserver, mutual authentication is not a re-alistic option as the device might not have a Transport Layer Security (TLS) certificate that the server can trust. Further, the webserver needs to share a TLS certificate that the public device can trust. Therefore, the webserver might get its TLS certificate from a publicly trusted certification authority (CA) for which the public device will have the CA certificates al-ready installed. Alternatively the webserver might use a TLS certificate issued from a private CA but whose CA certificates would need to be installed on each of the public devices. Thus, the information security professional needs to assess the de-sign of the public key infrastructure12 (PKI) for the webserver.

9 Federal Information Processing Standard (FIPS) 140-2 Security Requirements for Cryptographic Modules, May 2001 – http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf.

10 RFC 2898 PKCS #5: Password-Based Cryptography Specification Version 2.0, September 2000 – https://www.rfc-editor.org/info/rfc2898.

11 X9.73 Cryptographic Message Syntax – ASN.1 and XML, 2017 – http://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.73-2010+(R2017).

12 ISO 21188 Public Key Infrastructure for Financial Services — Practices and Policy Framework, 2006 – https://www.iso.org/obp/ui/#iso:std:iso:21188:ed-1:v1:en.

IT’S GOOD FOR BUSINESS

Advertise Strategically

Contact Monique dela Cruz mdelacruz@issa.org

Place your advertising strategically to surround our monthly themes

with your organization’s products and services...

AUGUSTDisruptive Technologies

SEPTEMBERHealth Care

OCTOBERAddressing Malware

NOVEMBERCryptography and Quantum Computing

DECEMBERSocial Media, Gaming, and Security

Figure 5 – Cryptographic architecture

July 2017 | ISSA Journal – 21

Cryptographic Architectures: Missing in Action | Jeff Stapleton

mutual authentication is possible. Further, since both ma-chines reside within the internal network both can use TLS certificates issued from the private CA whose CRL or OCSP are accessible. Again, the information security professional needs to assess the design of the PKI for the webserver and the monitoring server. Figure 5 shows Secure Shell (SSH) connections between the admin server and the web, database, and file servers. The ad-min server has an SSH key pair whose public key is stored on the web, database, and file servers for authentication. Admin-istrators log onto the admin workstations, which establishes a TLS connection to the admin server, and then the admin server connects via SSH to the appropriate server for manage-ment and maintenance purposes. The information security professional needs to assess the design of the SSH key man-agement scheme. Another aspect the information security professional needs to consider is where the various TLS tunnels terminate. The IPsec tunnel endpoints terminate at the routers so no de-crypted information is exposed outside the routers. However, the TLS tunnel endpoints might not terminate at the actual servers. For example, the HTTPS connection might termi-nate at the external DMZ firewall shown in figure 2 and not the actual webserver. If this were the case, then the network traffic would be unencrypted (cleartext) between the exter-nal firewall and the webserver within the DMZ. Likewise, the TLS tunnel between the webserver and the database server might terminate at the internal DMZ firewall. For this latter case the network traffic would be cleartext across the internal network. Similarly, the TLS tunnel between the admin work-station and the admin server might terminate at the secure zone firewall. For each of these scenarios the information security professional needs to understand the cryptographic architecture.

ConclusionIn summary, any development project produces artifacts such as an application architecture and a network architec-ture, but all too often the cryptographic architecture is over-looked. In the example architectures we considered several cryptographic protocols including HTTPS, TLS, IPsec, and SSH including symmetric keys, asymmetric keys and digi-tal certificates. Modern day architectures have evolved with cryptography almost everywhere. Consequently, the critical nature of the cryptographic architecture needs to be included by information security professionals.

About the AuthorJeff Stapleton, an ISSA and (ISC)2 member, has been involved in the development of ANSI and ISO standards for over 20 years, has chaired the X9F4 standards workgroup for over 15 years, and is the author of the Se-curity without Obscurity book series. He can be contacted via jjs78023@yahoo.com or LinkedIn.

figure 2, the monitoring server retains copies of the network traffic. Thus, in addition to it having copies of the webserver keys, the monitoring server also has its own data encryption

key. The information security pro-fessional needs to determine the data encryption and the key stor-age methods. Figure 5 shows TLS between the webserver and the database serv-er. Since this is an internal con-nection, mutual authentication is possible. The webserver might re-use its TLS certificate issued from the public CA and the monitoring server can use a TLS certificate issued from the organization’s pri-

vate CA. However, the monitoring server might not be able to validate the certificate status of the webserver’s certificate because it might not be able to access the public CA certificate revocation list (CRL) or its online certificate status protocol (OCSP) responder. Alternatively the webserver might have another TLS key pair whose certificate is issued from the pri-vate CA. The information security professional needs to as-sess the design of the public key infrastructure (PKI) for the webserver and the monitoring server. Further, the informa-tion security professional needs to note that no TLS connec-tion is shown between the database server and the file server. Figure 5 shows TLS between the admin server and the admin workstation. Again, since this is another internal connection,

Don’t Miss This Web ConferenceHere Come the Regulators

2-Hour Live Event: Tuesday, July 25, 20179 a.m. US-Pacific/ 12 noon US-Eastern/ 5 p.m. London

As the face of the world changes once again and governmental sanctions loom on the horizon, what happens with global data protection levels when one country decides to allow or disallow technology to cross its borders? For example, how will Brexit impact the global technology rules?

Looking ahead to next year, how much of an impact will the sweeping new requirements of the EU General Data Protection Regulation (EU GDPR) have on the rest of the world? We bring in regulatory experts to take on this increasingly daunting and international issue.

For more information on this or other webinars:ISSA.org => Learn => Web Events => International Web

Conferences

For each of these scenarios the information security professional needs to understand the cryptographic architecture.

22 – ISSA Journal | July 2017

Cryptographic Architectures: Missing in Action | Jeff Stapleton

Cyberwar and International LawBy Luther Martin – ISSA member, Silicon Valley Chapter and Cheryl He

There is a lot of discussion of cyberwar these days, though much is not based on a careful understanding of what might reasonably be called “cyberwar.” The authors look at what existing international law tells us about cyber attacks and at what recent cyber incidents might reasonably be considered to be serious enough to be considered something more than annoying attacks by hackers.

AbstractThere is a lot of discussion of cyberwar these days. Much of this discussion has one thing in common: it is not based on a careful understanding of what might reasonably be called “cyberwar.” Here, we look at what existing international law tells us about cyber attacks and look at what recent cyber in-cidents might reasonably be considered to be serious enough to be considered something more than annoying attacks by hackers. This point of view both explains the limited nature of the damage caused by most cyber attacks that have occurred to date and lets us speculate on what the future will bring.

Armed conflict is surprisingly common. The “Global Peace Index 2016”1 report by the Institute for Eco-nomics & Peace suggests that only 10 of the 163

countries for which they collect data are not participating in some sort of conflict today. Peace is very uncommon. As more participants in today’s conflicts develop the capability to attack the computer systems of their opponents, it seems likely that more conflicts will involve some type of cyber at-tack. Many cyber attacks to date have targeted civilian infrastruc-ture rather than government systems and have stayed below a threshold that we will explain below, while the relatively low costs to their perpetrators have resulted in such attacks be-coming increasingly common. Because any business may find

1 “Global Peace Index 2016,” Institute for Economics & Peace – http://visionofhumanity.org/app/uploads/2017/02/GPI-2016-Report_2.pdf.

itself as a target of cyber attack, they are a threat that CISOs should think about, and perhaps even plan for.

The law of warThere may have been rules to warfare for as long as men have been fighting wars. Some of the world’s oldest literature de-scribes rules that warring parties should follow. In the Mahabharata (c. 1000 BC), Book 12, the “Book of Peace,”2 lists rules for warfare, some of which should still sound reasonable to us today. It limits what weapons allowed in war: “There should be no arrows smeared in poison, nor any barbed arrows—these are the weapons of evil people.” It has rules for treating the wounded: “One wounded should be given medical treatment in your realm; or he may even be sent to his own home.” And it has rules for humane treatment of prisoners of war: “If [you have] captured a man who has discarded his sword, whose armor is broken to pieces, who pleads with his hands folded in supplication, saying, ‘I am yours,’ then [you] should not harm that man.”Today, the law of war comprises two bodies of law: one de-fines when the use of force is justified (jus ad bellum, Latin for “right to war”); the other governs how belligerents need to conduct themselves during a conflict (jus in bello, Latin for “right in war”). Here, we are not really interested in justifying starting cyber conflicts. That is not something that most cor-porate IT departments think about doing, so understanding the application of jus ad bellum to cyber conflicts is probably not important. But since it turns out to be easy for businesses

2 Fitzgerald, James L., ed. The Mahabharata, Volume 7. University of Chicago Press, 2003.

July 2017 | ISSA Journal – 23

ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

to become involved in cyber conflicts, particularly as targets, understanding how jus in bello may apply is more interesting. The jus in bello aspect of the law of war is currently defined by the four Geneva Conventions and three additional Proto-cols3 that were added after the last Convention was ratified. The Geneva Conventions were first ratified in 1864. They were updated in 1906, 1929, and finally in 1949. Since 1949, three additional Protocols have been ratified. Two were added in 1977 and a third in 2005. Signatories of the Conventions and the additional Protocols agree to only engage in warfare within what is allowed by the Conventions and the additional Protocols. If an opponent violates the rules of warfare, the injured party is allowed to conduct reprisals, but they must be appropriate to the injury received. The legal concept of lex talionis, the law of propor-tionality, needs to cover any such reprisals. Note that limits for what actions are allowed by participants in a conflict do not have to be formal laws or treaties. In the Cold War, espionage was carried out within a set of guidelines that both sides informally agreed to and generally followed.

Treaties and the prisoners’ dilemmaA situation called the “prisoners’ dilemma”4 may explain why this is true. A prisoners’ dilemma5 is a situation when two or more parties will all benefit from cooperating, but each will individually benefit more from non-cooperation at the expense of the others. When this happens, we should expect all parties to choose to not cooperate with the others. An ex-ample of this is when two or more parties decide whether to obey a treaty or to cheat on it. If all parties agree to not develop nuclear weapons, for exam-ple, then all parties are safer. But if one party cheats, it gains an advantage over the others who have not developed their own nuclear weapons. In this situation, we should expect all parties to cheat on a treaty that bans nuclear weapons, or, per-haps even more likely, to not agree to such a treaty in the first place. Thus all parties need an incentive to not cheat in order for rules, either formal or informal, to be generally followed. Cyber weapons may offer compelling advantages. They are generally relatively inexpensive to develop compared to the cost of conventional weapons like tanks, aircraft, submarines, or aircraft carriers. The US Government Accountability Of-fice (GAO) estimates that the US government will spend over $54 billion on the F-35 Joint Strike Fighter program between the years 2015 and 20196 and that the program will probably end up costing about $1.5 trillion over its complete life cy-

3 ICRC, “Geneva Conventions of 1949 and Additional Protocols, and their Commentaries“ International Committee of the Red Cross – https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/vwTreaties1949.xsp.

4 Avinash Dixit and Barry Nalebuff, “Prisoners’ Dilemma,” Library of Economics and Liberty – http://www.econlib.org/library/Enc/PrisonersDilemma.html.

5 Tucker, Albert W. "The mathematics of Tucker: a sampler." The Two-Year College Mathematics Journal 14, no. 3 (1983): 228-232.

6 GOA, “F-35 Joint Strike Fighter: Assessment Needed to Address Affordability Challenges,” US Government Accountability Office – http://www.gao.gov/products/GAO-15-364.EDITOR@ISSA.ORG  •  WWW.ISSA.ORG

ISSA Journal 2017 Calendar

JANUARY Best of 2016

FEBRUARY Legal, Privacy, Regulation, Ethics

MARCH Internet of Things

APRIL New Technologies in Security

MAYThe Cloud

JUNE Big Data/Machine Learning/Adaptive Systems

JULYCybersecurity in World Politics

AUGUSTDisruptive Technologies

SEPTEMBERHealth Care

Editorial Deadline 7/22/17

OCTOBERAddressing MalwareEditorial Deadline 8/22/17

NOVEMBERCryptography and Quantum Computing

Editorial Deadline 9/22/17

DECEMBERSocial Media, Gaming, and Security

Editorial Deadline 10/22/17

You are invited to share your expertise with the association and submit an article. Published authors are eligible

for CPE credits. For theme descriptions, visit www.issa.org/?CallforArticles.

Past Issues – digital versions: click the download link: ISSA.org => Learn => Journal

24 – ISSA Journal | July 2017

Cyberwar and International Law | Luther Martin and Cheryl He

cle (research, development, procurement, operation, mainte-nance, etc.).7 An investment of the same $54 billion over a five-year period in cyber weapon research is likely to result in weapons that are capable of both crippling the economies of many nations and rendering many modern weapon systems ineffective—something that even the very capable F-35 alone probably cannot do. And an investment of $1.5 trillion over a few de-cades might even produce cyber weapons that are closer to science fiction than to those that we see today. So the signifi-cant capabilities that they may provide at a relatively low cost may make cyber weapons seem compelling to both state and non-state actors. It may be relatively easy to use such weapons against adver-saries while still maintaining a plausible level of deniability due to the largely anonymous nature of the Internet. Cyber attacks can be far more humane than the alternatives. Crip-pling a country’s banking infrastructure may cause a very high level of economic damage, but without the level of death and destruction that accompanies the use of conventional weapons. Because of these advantages, the prisoners’ dilemma may lead to the universal development of cyber weapons, perhaps even to a cyber arms race. Controlling these weapons will be prob-lematic until both governments and non-government entities have a strong incentive to agree to limits on developing or using them. But it is also likely that the use of cyber weapons will be limited by the existing law of war, so indiscriminate and all-out cyberwar is probably unlikely.

The law of cyberwarIt may be useful to think of all conflicts involving two types operations: conventional and cyber. At one end of the spec-trum we have operations that only use traditional forms of force, while at the other end are operations carried out purely through the use of computers. Conflicts can also exist some-where between the two extremes, involving some convention-al operations and some cyber operations. It is clear how the law of war limits acceptable behavior in purely conventional operations, but it turns out that the existing law of war also

7 Joint Strike Fighter Program, “F-35 Lightning II Program Fact Sheet Selected Acquisition Report (SAR) 2015 Cost Data,” US Department of Defense – http://www.jsf.mil/news/docs/20160324_Fact-Sheet.pdf.

can be interpreted in a way that applies to cyber operations. The most notable discussion of this is contained in the Tallinn Manual.8

The Tallinn Manual was written between 2009 and 2012 by a group of subject matter experts in a project organized by the NATO Cooperative Cyber Defence Centre of Excellence9 (CDCoE) (based in Tallinn, Estonia). The output of this project reflects the views of the contributors as to how well the existing law of war can be applied to cyberwar. The consensus of the experts was that the existing law of war can easily be interpreted in a way that applies to ac-tions in cyberwar. Of particular interest is the way that the Tallinn Manual describes what qualifies as “armed attacks” in the cyber world. This is particularly rele-vant because the term “act of war” is a political term with no precise meaning, while the term “armed attack” has a clear legal definition. Treaties and similar agreements define what actions will be taken or can be taken in the event of an armed attack; they do not specify what actions can be taken in re-sponse to an act of war. In particular, the Tallinn Manual uses the effects of a cyber attack to judge whether or not it qualifies as an armed attack. Cyber attacks that cause effects that are similar to what kinet-ic weapons (guns, bombs, etc.) cause count as the equivalent of an armed attack. Guns and bombs do not temporarily shut down banks or temporarily take down websites. They cause more physical and permanent damage. Many, perhaps even almost all, cyber attacks fall short of the Tallinn Manual’s definition of armed attacks. This limits the options that na-tional governments have for responding to these attacks, at least if they want to stay within the limits imposed by inter-national law.

8 Schmitt, Michael N., Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013.

9 NATO Cooperative Cyber Defence Centre of Excellence – https://ccdcoe.org/.

So the significant capabilities that they may provide at a relatively low cost may make cyber weapons seem compelling to both state and non-state actors.

July 2017 | ISSA Journal – 25

Cyberwar and International Law | Luther Martin and Cheryl He

ISSA Special Interest Groups

Special Interest Groups — Join Today! — It’s Free!ISSA.org => Learn => Special Interest Groups

Security AwarenessSharing knowledge, experience, and methodologies regarding IT security education, awareness and training programs.

Women in SecurityConnecting the world, one cybersecurity practitioner at a time; developing women leaders globally; building a stronger cybersecurity community fabric.

Health CareDriving collaborative thought and knowledge-sharing for information security leaders within healthcare organizations.

FinancialPromoting knowledge sharing and collaboration between information security professionals and leaders within financial industry organizations.

being used in uranium enrichment operations by the govern-ment of Iran. Once it infected the control systems for the centrifuges, Stux-net seemed to increase the rate at which centrifuges would spin, possibly causing damage to them by making them spin faster than they were meant to operate. This could potentially cause an increase in the failure rate of the centrifuges that could be very difficult to troubleshoot.But essentially all that we know about Stuxnet is based on rumors. Many news stories have described in detail how the governments of the US, Israel, and Germany worked togeth-er to create and deploy Stuxnet. And many news stories and other reports have explained how the effects of Stuxnet de-layed the Iranian nuclear program by degrading its ability to refine fissionable isotopes of uranium. But there are few, if any, facts to support these entirely plausible conclusions. A good summary of what is really known about Stuxnet and its effects is contained in the NATO CDCoE report “Stuxnet – Legal Considerations,” by Katharina Ziolkowski.10

None of the governments of the US, Israel, or Germany has officially admitted to taking part in the development or de-ployment of Stuxnet. And the government of Iran has never officially admitted that any of the centrifuges used in their nuclear program were damaged by Stuxnet.There is no hard evidence that Stuxnet had any significant effect at all. The centrifuges used in the Iranian nuclear pro-gram were notoriously prone to failure,11 and it is not clear

10 Dr. iur. Katharina Ziolkowski, “Stuxnet–Legal Considerations,” NATO CCDCoE (2012) - https://ccdcoe.org/sites/default/files/multimedia/pdf/Ziolkowski_Stuxnet2012-LegalConsiderations.pdf.

11 Greg Thielmann and Peter Crail, “Chief Obstacle to Iran's Nuclear Effort: Its Own Bad Technology,” The Christian Science Monitor, Dec. 8, 2010 –http://www.csmonitor.com/Commentary/Opinion/2010/1208/Chief-obstacle-to-Iran-s-nuclear-effort-its-own-bad-technology.

Estonia (2007)In 2007, the government of Estonia decided to relocate the Bronze Soldier, a memorial to the victory of the Soviet Army over Nazi Germany. The government moved the memorial from a central location in the capital city of Tallinn to the nearby Tallinn Military Cemetery. This provoked riots in the streets of Tallinn. Soon, cyber attacks against many Estonian government and commercial targets were underway. Hack-ers carried out denial of service and distributed denial of

service attacks against government and private-sector websites, including the those of the Riigikogu (Parliament), as well as the Estonian prime minister and president. Many government ministries, e-banking organizations, and news out-lets also suffered attacks.The effects of these attacks are not the same as would have been caused by ki-netic weapons. It seems very likely that the cyber attacks that occurred in this in-cident did not qualify as armed attacks,

so the government of Estonia and its allies would have been somewhat limited in their options for retaliating. In particu-lar, any military action would almost certainly not have been justified in this particular case.

Stuxnet (2009)While there are many descriptions of the Stuxnet worm and its effects, there are very few facts available concerning this incident. What we do know for sure is that some time in 2009 a worm appeared on the Internet that seemed to target ranges of IP addresses in Iran, and that this worm seemed to target certain industrial control systems—the centrifuges that were

A Wealth of Resources for the Information Security Professional – www.ISSA.org

Building Security in a Business Culture2-Hour Event Recorded Live: June 27, 2017

Breach Report Analysis2-Hour Event Recorded Live: May 23, 2017

Evolution of Cryptography2-Hour Event Recorded Live: April 25, 2017

Internet of Things2-Hour Event Recorded Live: March 28, 2017

Cyber Residual Risk2-Hour Event Recorded Live: February 28, 2017

When TLS Reads “Totally Lost Security”2-Hour Event Recorded Live: January 24, 2017

When TLS Reads “Totally Lost Security”2-Hour Event Recorded Live: November 15, 2016

How to Recruit and Retain Cybersecurity Professionals2-Hour Event Recorded Live: October 25, 2016

Security Architecture & Network Situational Awareness2-Hour Event Recorded Live: September 27, 2016

IoT: The Information Ecosystem of the Future--And Its Issues2-Hour Event Recorded Live:August 23, 2016

Hacking the Social Grid: Gullible People at 670 Million Miles per Hour2-Hour Event Recorded Live: July 26, 2016

Legislative Impact: When Privacy Hides the Guilty Party2-Hour Event Recorded Live: June 28, 2016

Click here for On-Demand Conferenceswww.issa.org/?OnDemandWebConf

There is no hard evidence that Stuxnet had any significant effect at all.

26 – ISSA Journal | July 2017

Cyberwar and International Law | Luther Martin and Cheryl He

that the number of centrifuges bought by the Iranian gov-ernment increased after Stuxnet appeared on the Internet, suggesting that it might not have significantly affected the Iranian nuclear program at all. In the absence of any reliable information, it is hard to judge whether or not Stuxnet was damaging enough to qualify as the equivalent of an armed attack, but Ziolkowski’s legal analysis suggests that it was not just a clever bit of technology. Stuxnet was carefully tailored to keep its effects from violat-ing international law, which could have justified any possible retaliation by Iran: “Under the supposition that the malicious software has been created, installed, and controlled by one or more States and indeed did not cause any damage of physi-cal nature, it appears not to reach the threshold of illegality pursuant to public international law and thus to be a ‘legal masterpiece.’” So the best information available suggests that Stuxnet prob-ably did not cause enough damage to qualify as an armed attack. This means that the government of Iran probably would not have been justified in using armed force to retali-ate against one or more countries that it might have suspected carried out the Stuxnet attack.

German steel mill (2014)In December 2014, the German government’s Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security) released their annual findings re-port “Die Lage der IT-Sicherheit in Deutschland 2014” (“The State of IT Security in Germany 2014”).12 This report de-scribes a successful cyber attack on an unspecified German steel mill, although it provides few details. This attack appar-ently compromised the control systems for the steel mill and resulted in significant physical damage to at least one of the blast furnaces used in the mill. Of all of the cyber attacks publicly known, this attack seems to come the closest to counting as an armed attack because there was significant physical damage caused by it. While the damage caused may not have been exactly like the damage that would have been caused by guns or bombs, it was prob-ably very similar. It might have been similar enough to the effect of kinetic weapons to have counted as the equivalent of an armed attack. Because there have been very few cyber attacks that cause sig-nificant physical damage, it may be the case that this partic-ular cyber attack is the only attack to date that might reason-ably be considered to be equivalent to an armed attack; it is also the only one that might reasonably be considered serious enough to justify a military response by the affected country.

SummaryThere are compelling reasons why participants in twenty-first century conflicts would engage in cyberwarfare. Cyber weap-

12 “Die Lage der IT-Sicherheit in Deutschland 2014,” Bundesamt für Sicherheit in der Informationstechnik – https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf?__blob=publicationFile.

ons are almost certainly much less expensive to develop and use than conventional weapons, and the anonymity provided by the Internet can make it extremely hard to reliably identify exactly who carried out a cyber attack. Launching damaging cyber attacks against government or military targets will al-most certainly be regarded as an act of war by politicians, so many participants in the cyber attacks have largely restricted their attacks to non-government and non-military targets. Cyber attacks have generally not caused the type of physical damage that might classify them to being equivalent to an armed attack, thus limiting the ways in which governments can respond. If this trend continues in the future, businesses may unwillingly become targets in cyber conflicts. So it certainly looks like businesses are on the front lines of cyberwar, whether they want to be or not. A reasonable pre-caution is thus to hope for the best (not being the target of a cyber attack) but to be prepared for the worst (that you will end up being the target of a cyber attack).

About the AuthorsLuther Martin is a Hewlett Packard Enter-prise Distinguished Technologist. You can reach him at luther.martin@hpe.com. Cheryl He is a Software Engineer at Hewl-ett Packard Enterprise. You can reach her at cheryl.he@hpe.com.

It’s Timefor Clarity

Gain complete visibilityand context into allyour vulnerabilities,on-prem to cloud.

For more information,visit tenable.com

July 2017 | ISSA Journal – 27

Cyberwar and International Law | Luther Martin and Cheryl He

Building a Phishing Program: Why Haven’t You Started Yet?By Tonia Dudley – ISSA member, Phoenix Chapter

This author discusses the basics of a phishing simulation training program and how it is one element of an overall security awareness program to address human behaviors. The article provides some recommendations to consider when building a successful program.

As the topic of cybersecurity continues to get more press, reg-ulators, auditors, and now boards of directors are all starting to ask what you’re doing to protect the organization against a phishing attack that could lead to a data breach.Do your users know how to identify a phishing email? If you ask them, they will most likely tell you “yes”—that’s what we learned in our annual security awareness compliance train-ing. But most importantly, do your users even know how or where to report a suspicious message?Why do users click that link, open that attachment, or even riskier, type in their credentials into that input box on the website? Curiosity—did I really miss paying that invoice? Fear—the CEO needs me to get this wire out right away. Re-ward—I can’t believe I finally won a drawing! Threat actors know this is how users will react to these moti-vators. Users are bombarded with email messages all day long and their first instincts are to react. The best way to retrain this behavior is using simulation training: simulating the same method the threat actors use—the inbox and motiva-tors (see Emotional Motivators sidebar). They are ultimately seeking to get your personally identifiable information, in-tellectual property, or other strategic information that can give them an insight into your company’s strategic direction. According to the Verizon 2016 Data Breach Investigations Re-port [4], 89 percent of breaches had a financial or espionage motive.The threat doesn’t just exist in large corporations. According to the Symantec Threat Report 2016 [5], they observed over a five-year span a steady increase in attacks against compa-nies with less than 250 employees, with a 43 percent increase

AbstractThis article discusses the basics of a phishing simulation training program and how it is one element of an overall se-curity awareness program to address human behaviors. The article provides some recommendations to consider when building a successful program.

Why do I need a phishing training program?

Every year the numbers grow for data breach inci-dents, and just when you think it certainly can’t get any worse than last year, the headlines begin to churn

with the latest. As the New Year barely clicked over to 2017, headlines were already beginning to fill up with the attack on the Democratic National Convention and we were hearing the phrase GRIZZLY STEPPE.[1]According to the Internet Crime Complaint Center, since January 2015 business email compromise (BEC) [2], also known as CEO fraud, has increased globally 1,300 percent. As the tax season picked up earlier in the year, we quickly heard about organizations that were responding to the W-2 spear phish [3]. Attackers use the tax season to target indi-viduals in human resources and payroll departments to send their company W-2 files containing employee sensitive infor-mation (figure 1). While ransomware wasn’t new in 2016, it certainly did make the headlines with the attack on public entities and threat to all businesses sizes. With the continued growth of social media and the need to stay present to grow your business, it is also a threat vector allowing threat actors to easily gain more information about your company—mak-ing spear phishing much more sophisticated.

28 – ISSA Journal | July 2017

ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

in just 2015. For larger organizations, these small businesses might be part of your supply chain, opening an entry point for threat actors.

Where to startThe first step to building your program is to establish the goal of the overall program. Are you just trying to “test” your us-ers to see how they will react? Or are you trying to train them in “how” to react when they do receive a suspicious message? If you use the term “test,” your users will have an immediate negative response—nobody likes to feel like he or she is be-ing tested. If you turn the conversation to “training,” you’ll have better engagement with your users and your leadership teams.There are plenty of technical controls that can be implement-ed to protect your perimeter and your users, but these are never going to be 100 percent foolproof. Attackers are con-stantly changing their techniques to get past your technical controls. They are patient and will take their time to research every aspect of your organization, including your users.Many organizations focus on the click rate as the key indi-cator metric for their phishing simulation training program. Every type of message or even the contents of a phishing message can trip up even the well-informed and experienced user at one time or another. You are never going to achieve a zero-click rate. Yes, it only takes one user to expose the orga-nization to risk, but if you train your users to report quickly, the risk can be mitigated or contained quickly.By training users to report quickly, you are reducing the amount of time attackers can make their way into your or-ganization. When the incident response team has been made aware of a phishing attempt to the organization, there is a series of steps they take to mitigate the risk. This includes blocking any IP addresses that are contained in the email that could install malware and working with the email team to remove any messages from users’ inboxes. The team can also research which users potentially clicked on the link or

opened the attachment to quickly isolate their machines on the network.

Getting startedOnce you’ve decided to implement a phishing simulation training program, kick off the program with running a pilot targeting a small segment of the user population—a depart-ment, a business group, or even a random selection. This will allow you to demonstrate to leadership the need for this type of training. If simulation training has never been done in your organization, expect to see a high click rate. Remember this is your baseline.As you prepare for your first campaign, no matter how large or small, work with your email team to ensure the message doesn’t get blocked by your spam filters or other controls. If you’re providing an education page when the user clicks the link, ensure your firewall teams can whitelist the page. And most importantly, inform your security operations or help desk teams to expect to see an increase in users reporting.Socialize the importance of the program—what you’re trying to achieve and what information will be reported at the close of the campaign—with your leadership teams. Arm them with talking points and results to be included with their team meetings to reinforce leadership support. It’s also important

Emotional MotivatorsCuriosity: Someone left you a voicemailFear: You received a parking ticketUrgency: You have a past-due invoiceReward: You won a shopping gift cardSocial: Someone sent you a holiday cardOpportunity: Most recent sale quoteEntertainment: Look at these funny pictures

Figure 1—W-2 email spear phishing sample

July 2017 | ISSA Journal – 29

Building a Phishing Program: Why Haven’t You Started Yet? | Tonia Dudley

to ensure your leadership team understands that they will also be included in the campaigns.If you are an organization located across the globe, be pre-pared for the fact that various cultures will respond differ-

ently to the same emotional triggers. If you have users in the European Union (EU), you will most likely need to get approval from the works council and pro-vide the education in their local languages. Take the time to edu-cate the works council of the im-portance of understanding the dangers phishing can pose not only to the organization but also to users’ personal email. The EU passed directives that cover em-

ployment law, which established the requirement for works councils: a body of representatives of the company’s employ-ees that review and consult with the company’s management for any initiatives that would have an impact on employees—including training and how activities will be tracked for an individual employee [6].One topic that comes up quite often in discussions related to phishing programs is what to do about users sharing knowl-edge about the phish lure among their teammates. What is the purpose of your program? Metrics or for your users to know what to do when a real event happens? If your orga-nization experiences a real phishing attack, don’t you want your users to tell their cube mates and peers to watch out and report the dangerous message?The first scenario for your baseline campaign should be ge-neric and pretty simple, such as a fax notification or scanned document. Your technology and security teams will let you know these types of messages are too easy to spot. But this isn’t the user population that you’re trying to educate in the early stages of your program. These groups can be targeted with a more so-phisticated sce-nario once you’ve established your baseline.Other consid-erations as you build your cam-paigns—do you block spam and other marketing type messages in your corporate email system but allow your users to access their personal email on your

network? Don’t be afraid to include executives as they can be some of your most highly valued individual targets.

Maturing the programAs you start to build confidence in your users, you can in-crease the complexity of the message and campaign. As you build these campaigns, tailor the education to align to the type of message you’re simulating—ransomware attach-ments, W-2 request, or BEC.What is the organization experiencing in real phishing cam-paigns? Allow the program to be flexible to simulate a cam-paign when a real campaign hits. If you receive a campaign for users to provide credentials, use this scenario to ensure the entire organization is ready to mitigate the next attack.Remember the threat actors also know your seasonal moti-vators, such as benefits enrollment, tax season, holiday shop-ping, and shipping, so don’t forget to use these scenarios as each season approaches. According to Proofpoint’s “The Human Factor Report” [7], in 2016 the best day of the week was Thursday for attackers to successfully experience recipient interaction with malicious attachments (see figure 2). When you are trying to condition your users to the way attackers will target them, try to sim-ulate your campaign as close to the real attacks as possible. This includes starting the campaign on the day of the week they will most receive a real phishing email. In the same re-port, it was found that users respond by clicking on the ma-licious URL within the first 24 hours after the message was delivered. This is a factor that you can use when trying to de-termine how long to run your simulation campaign. Understand the motivators for your various business roles. This will allow you to target your finance department with messages related to payments, your HR department with re-sumes, and legal team with contracts. Do you have users with their email address listed publicly? Do your IT users with privileged access understand the dangers of using their net-work credentials on a data-entry scenario?

It’s also important to ensure your leadership team understands that they will also be included in the campaigns.

Figure 2—Threat arrival by day of the week [source: Proofpoint’s “The Human Factor” report]

30 – ISSA Journal | July 2017

Building a Phishing Program: Why Haven’t You Started Yet? | Tonia Dudley

Warfare has advanced considerably since the Middle Ages, but in many ways the principles of fortification remain the same. The great castles of antiquity were

ingeniously designed to protect their inhabitants from persistent enemy threats. Their carefully planned and creative defensive measures provide rich metaphors

for today’s cyber guardians. SecureWorld attendees will enjoy exploring and learning from the historical anecdotes and tactics in this year’s conference theme.

Join like-minded security professionals in your local community for high-quality,affordable training and education. Attend featured keynotes, panel discussionsand breakout sessions, and learn from nationally-recognized experts. Networkwith fellow practitioners, thought leaders, associations and solution vendors.

Don’t go it alone. Register for a SecureWorld conference near you.

Our Fall 2017 event schedule will kick off with the first annual Twin Cities conference. Mark your calendars and make plans to attend!

www.secureworldexpo.com

Fall:

Twin Cities, MN Sept. 6Detroit, MI Sept. 13-14St. Louis, MO Sept. 20-21Bay Area, CA Oct. 5Dallas, TX Oct. 18-19Cincinnati, OH Oct. 24Denver, CO Nov. 1-2Seattle, WA Nov. 8-9

Cybertrend_Mag_AD-06_19_17.indd 1 6/19/2017 3:00:45 PM

Think back to the question asked in the beginning—what is the goal of your program. If you are building a program that is designed to raise the overall security posture of the organi-zation and encourage your users to become sensors, then take the time to respond to those users and thank them for helping the organization to be secure. By creating a punitive program you are stifling your users from telling you they found some-thing suspicious, not only in their inbox but in other situa-tions that may pose a risk to your organization.

ConclusionAs we continue to see successful phishing threats, training your users to identify a suspicious message is going to be far more valuable than relying on technical controls. The threat actors continuously pivot to get email messages past technical controls and land in the user’s inbox. As you establish your program, determine which metrics are most important to drive success. If your goal is to get users to report, lead with that metric and educate your leadership on why this is the most important metric. Once you set your baseline and deter-mine your metric goals, use the campaign frequency to drive to your goal. Remember that improvements happen because of the memory of the “oh crap” moments, not the education you ask them to read.

But they didn’t read the education…According to PhishMe, the average time a user spends on the education page is 22 seconds [8]. Most of the simulation providers include great education content to provide the user with information about how to identify a phishing message or the various types of phishing messages. However, it is the mere experience of opening the message and clicking on the link or opening the attachment that gives users the “oh crap, I shouldn’t have done that” moment, which they will remember, training them to stop and assess a message they receive that doesn’t seem right. To reinforce the simulation campaign, send users who were susceptible to the message [took the bait] a follow-up message letting them know it was a training event and provide them with the correct action they should take to report the message, even if they clicked or opened the attachment.

Changing behaviorIn the PhishMe “Enterprise Phishing Susceptibility Report” (2015) [9], it was determined that it takes an average of four scenarios to significantly reduce your users from repeating the same behavior [figure 3]. However, the most significant decline occurs from the first to the second campaign for the same type of scenario, decreasing from 35 percent to 13 per-cent response rate.

Figure 3—Decrease in repeat offenses [Source: “PhishMe Enterprise Phishing Susceptibility Report]

As your program begins to mature, and your list of repeat users begins to grow, you’ll get pressured to start addressing the repeat behavior. Setting up a punitive program to target users who fall into this bucket can reflect negatively on your program. Do you punish users for failing other types of train-ing? A better way to address the repeat problem would be to take the time to reach out to these individuals to understand their role and what motivates them to continuously click or open the attachment. Sometimes just giving them the direct attention and explaining the risk this could pose to the or-ganization if it had been a real phish can have a much more powerful impact. EDITOR@ISSA.ORG  •  WWW.ISSA.ORG

ISSA Journal Back Issues – 2016ISSA.org => Learn => Journal

Past Issues – digital versions: click the download link:

Securing the Cloud Big Data / Data Mining & Analytics

Mobile Apps Malware Threat Evolution

Breach Reports – Compare/Contrast Legal, Privacy, Regulation

Social Media Impact Internet of Things

Cybersecurity Careers & Guidance Practical Application and Use of

Cryptography Security Architecture

32 – ISSA Journal | July 2017

Building a Phishing Program: Why Haven’t You Started Yet? | Tonia Dudley

About the AuthorTonia Dudley, CISSP, CISM, CISA, is cur-rently the Director of Security Awareness for a financial services organization and previously managed the security awareness program for a fortune 100 global manufac-turing organization. Her diverse background has allowed her to change the perspective of running a security awareness program typically focused on compliance to drive behavioral changes and improve overall security culture. She may be reached at tdudleyaz@gmail.com.

Focus your campaigns to simulate the type of messages that will actually make it past your technical controls—if you block an eCard message, don’t waste a campaign with this type of scenario (your click rate will probably be higher but not realistic). Don’t break down controls already established and working in your environment to force a campaign to work. And finally, embrace your users. If they feel comfort-able telling you they clicked a link that probably wasn’t good, you’ll be able mitigate the risk much quicker, and the likeli-hood of them alerting about any type of security incident is higher.

References1. DHS, “GRIZZLEY STEPPE—Russian Malicious Cyber

Activity,” US Department of Homeland Security – https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY STEPPE-2016-1229.pdf.

2. FBI, “Business E-Mail Compromise: The 3.1 Billion Dollar Scam,” FBI Public Service Announcement, June 14, 2016 – https://www.ic3.gov/media/2016/160614.aspx.

3. FBI, “Business E-Mail Compromise E-Mail Account Com-promise The 5 Billion Dollar Scam,” FBI Public Service Announcement, May 04, 2017 – https://www.ic3.gov/me-dia/2017/170504.aspx.

4. Verizon, “2016 Data Breach Investigations Report,” Verizon Enterprise – http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf.

5. Symantec, “Internet Security Threat Report 2016,” Syman-tec (April 2016) – https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf.

6. Association of Corporate Counsel, “Legal Resources: Works Councils in the European Union,” – http://www.acc.com/legalresources/quickcounsel/wciteu.cfm.

7. ProofPoint, “The Human Factor Report 2017,” Proofpoint – https://www.proofpoint.com/us/resources/white-papers/human-factor-report.

8. Aaron Higbee And Scott Greaux, “Behavioral Condition-ing, Not Awareness, Is the Answer to Phishing,” PhishMe, September 20, 2016 – https://phishme.com/behavioral-con-ditioning-not-awareness-answer-phishing/.

9. PhishMe, “Enterprise Phishing Susceptibility Report,” PhishMe – https://phishme.com/project/enterprise-phish-ing-susceptibility-report/.

September: Health Care – Due: 7/22/17Healthcare is one area of particular focus for information secu-rity practitioners as there are very specific security, privacy, and technological issues and mandates one must deal with. These also vary by jurisdiction. There are also many tools security pro-fessionals can use in this space that allow for a relatively consis-tent application of controls. We are looking for your thoughts and ideas on information security in the healthcare space.

October: Addressing Malware – Due: 8/22/17For almost as long as there have been computing platforms in use, there have been inherent threats associated with them. One of the most prevalent is malicious software. From the Cas-cade and Brian viruses to the XcodeGhost exploit, malware has been an inevitable part of the computing landscape. As tech-nology matured and became more sophisticated, so did the malware variations and the damage caused to millions of com-puters around the world. This month’s issue of the ISSA Journal will explore the types of malicious software in the wild and how it has evolved as well as the techniques used by cybersecurity professionals to mitigate the risks posed by it.

Looking Ahead – Journal Themes

Submit articles to editor@issa.org.

ISSA.org => Career => Career Center

T he ISSA Career Center offers a listing of cur-rent job openings in the infosec, assurance, privacy, and risk fields. Among the current

996 job listings [7/5/17] you will find the following:

• Incident Response Analyst, RCI Technologies, Inc. – NY

• Senior Cybersecurity Consultant, Rostie & Asso-ciates Inc – Plano, TX

• Information Security Auditor Position, 10-D Se-curity – Lenexa, KS

• Assistant Director of Information Technology, County of Santa Barbara, California – CA

• Senior Information Security Engineer, Hyundai Capital America (HCA) – Irvine, CA

• Senior Information Security Analyst, Federal Re-serve Bank of San Francisco – San Francisco, CA

• Information Security Risk Team Lead - SAFR, Federal Reserve Bank of San Francisco – San Francisco, CA

• Information Assurance Analyst, AMEWAS, Inc. – Patuxent River, MD

Questions? Email Monique dela Cruz at mdelacruz@issa.org.

July 2017 | ISSA Journal – 33

Building a Phishing Program: Why Haven’t You Started Yet? | Tonia Dudley

calls, so it is very possible to be an active participant in developing new standards without having to travel at all.But attending standards meetings in person can be a valuable use of time. Many of the people who attend these meetings are reasonable approximations of experts in their fields, so when you get a room of a dozen or more of these people together, there is a good chance that at least one of them will know the answer to absolutely any question that you might have in their area of exper-tise. And they are usually more than happy to answer any questions that you might have—even if you work for a com-petitor. In many cases, the free consult-ing that you can get from these experts more than justifies the cost of joining a standards group and participating in its activities.The price that you pay for having access to these subject matter experts is not just the cost of the membership in the rele-vant standards group. When you attend standards meetings (even if just virtu-ally), you will be expected to contribute to the projects that the group is working on. This may involve painful line-by-line reviews of drafts of documents, and sitting through long, bitter debates that end up with the group finding out that its opinion on the disputed topic is actu-ally unanimous.If you end up as the editor of a standard, you can expect to endure even worse. Random group members may insist that they cannot approve your standard un-til you help their country solve one of its pressing political issues. Or you may have to make a trivial change to a stan-dard, like adding a single blank space, because someone thinks that the docu-ment will look better that way, and then have the minimally modified document voted on yet again by the group, through

T he purpose of encryp-tion is to

make data unintel-ligible to everyone except two people:

Alice and Bob. This means that encryp-tion only works because it is not ful-ly standardized (otherwise, everyone could read Alice’s message to Bob). To implement this, we make most of the encryption standardized, and put all of the non-standardization in the keys that Alice uses to encrypt.Keys have to be non-standardized, but only in standardized ways. Key manage-ment also has to be standardized. This means that we have standards  where the non-standardized parts must follow standards of non-standardization and must be handled only in standardized non-standardized ways to support the overall standardization of the non-stan-dardization.Commercial cryptographers think that this makes perfect sense. Academic cryptographers write papers about why this makes perfect sense. Everyone else needs to use at least some of these stan-dards, so it can be important to get them right.Fortunately, the groups that create stan-dards for encryption are usually organi-zations that anyone can join. Even the ones that you need to pay to join really do not cost that much to join, at least when compared to the problems that having to work with a poorly written standard can cause.So a reasonable strategy for anyone who has an interest in seeing that encryp-tion ends up working the right way is to get involved in developing future stan-dards for it. This may require attending monthly or quarterly meetings. More often than not, these are just conference

a long and complicated process that takes an additional two to three weeks. But if you can tolerate those sorts of character-building experiences, you will find that you will be able to help move important technologies in the right di-rection.Even when there is no standards group that writes a standard, it can still be pos-sible to affect its content. For example, the US government’s National Institute of Standards and Technology (NIST) publishes many of the world’s leading standards, including the world’s de fac-to standard for cryptography, “Security Standards for Cryptographic Modules” (FIPS 140-2). And although NIST does not directly accept input from peo-ple outside of NIST for most of their standards, they always publish drafts of standards, solicit public comments, and do an admirable job of addressing the comments before finally publishing their standards. So if you have ever been displeased by the way encryption standards require standardization (or even non-standard-ization), consider getting involved in creating better ones. It is easier than you might think and has many benefits that you might not have considered.

About the AuthorLuther Martin is a Distinguished Tech-nologist with Hewlett Packard Enter-prise. He is the author of RFC 5091, RFC 5408, RFC 5409, was the technical editor of IEEE Std 1363.3-2013, and was the chair of the IEEE Security in Storage Working Group. You can reach him at lu-ther.martin@hpe.com.

By Luther Martin – ISSA member, Silicon Valley Chapter

Encryption Standards

Crypto Corner

34 – ISSA Journal | July 2017

Perspective: Women in Security SIG

International Cybersecurity Ambassadors: Global Security Awareness

By Rhonda Farrell – ISSA Fellow, Baltimore, National Capital, and Northern Virginia Chapters

tion, and standards; foster educational curriculum expan-sion, enhance work-force-related roles and requirements, drive technical innovations, and expand the global community to include practi-tioners from every country.Once the why and what are in place, the how, when, where, and when questions then come to the forefront. I posit that the answers to these further questions are within our ISSA community exper-tise, just waiting to be shared, built upon, and enacted by those within whom this resonates. It starts by organizationally recognizing the need for and declaring as such that we are indeed initiating a new cybersecurity ambassador move-ment ourselves, one that is inclusive, di-verse, global, and sustainable in nature. The Global SIGs are a great way to ignite the world’s cyber communities and craft an innovative way forward. What will you do to support the global cybersecu-rity ambassador challenge today?For those wishing to know more about the above topic or to suggest your own for the Global SIG programs, we wel-come your feedback and questions at SIGs@issa.org.

About the AuthorDr. Rhonda Farrell, D.Sc., J.D., CISSP, CSSLP, CCMP, CMQ/OE, CSQE, is an Associate at Booz Allen Hamilton (BAH) and a member of the Board of Directors at ISSA International. She is the Global SIG chair and the co-founder of the Women in Security Special Interest Group (WIS SIG). She works cross-organizationally to actively enhance cybersecurity-orient-ed programs internationally. She can be reached at rhonda.farrell@issa.org.

In the world of politics, cybersecu-rity has a starring news role, often-times headlining the most heinous

activities and effects of hackers, attack-ers, cyber criminals, and other public enemies across the globe.1 2 Much like the adage, good news doesn’t sell, we rarely see on the big screen news about the positive cybersecurity actions taken or the associated informational flows that academia, government, commercial firms, non-profit organizations, or cyber practitioners publish to defend, protect, and serve the broader cybersecurity community.What can we actively do to change that as the ISSA organization and as cyber practitioners worldwide? I posit that a focus on becoming international cyber ambassadors gets us one step closer to ensuring higher levels of global securi-ty awareness and effectiveness and cor-respondingly increasing cybersecurity community collaboration around the globe. Why, might you ask, should we focus on global cybersecurity ambassa-dorship versus other means to achieve these ends? I point to our organization-al true north, our purpose, our why as a way forward—driven by mission, vision, core purpose, values, and goals.3

Ambassadors are often asked to spread awareness, impart information, repre-sent interests and policies, translate and map technical issues to business initia-tives, and push for more effective ways

1 Scott, Mark and Wingfield, Nick. “Hacking Attack as Security Experts Scrambling to Contain Fallout,” NY Times (May 13, 2017) – https://www.nytimes.com/2017/05/13/world/asia/cyberattacks-online-security-.html?_r=0.

2 Sear, Tom. “Cyber Attacks 10 Years On – from Disruption to Disinformation.” Excerpt from The Conversation (April 27, 2017) – https://phys.org/news/2017-04-cyber-years-onfrom-disruption-todisinformation.html.

3 About ISSA (June 24, 2017) – http://www.issa.org/?page=AboutISSA.

of doing things.4 I believe that to be true ambassadors within the cybersecurity space, ISSA members and leaders need to create opportunities to share global policy, regulation, legislation, techni-cal, and associated social change efforts around the cybersecurity industry with our broader global community mem-bers. We need to ask our organizations and ourselves some hard questions, such as the following:• Should global public policy chang-

es influence our actions as to global chapter- and membership-growth initiatives?

• Should international cybersecurity warfare activities by nations preclude organization expansion efforts in those regions?

• Should political instabilities, sanc-tions, or other blockade actions oc-curring in certain global regions pre-clude membership inclusion?

• How do we best utilize the lessons learned from international cyberse-curity events to promote more effec-tive cybersecurity practices?

At the most core level, ambassadors’ roles positively touch people’s lives across the globe in many different ways through the seeding of new innovations, ideas, information, knowledge, collabo-rations, investments, education, etc. This directly aligns to ISSA’s core tenant of developing and connecting cybersecuri-ty leaders globally. We can, by designing and taking ongoing and effective cyber-security-related ambassador actions, directly and positively effect change in cybersecurity awareness and effective-ness levels, related policies, laws, regula-

4 Cybsi Ambassadors (June 25, 2017) – https://cybersecurity.ieee.org/cybsi-ambassadors/.

WIS SIG Mission: Connecting the World, One Cybersecurity Practitioner at a Time

July 2017 | ISSA Journal – 35

#ISSAConf

ISSA 2017 INTERNATIONAL CONFERENCE

DIGITAL DANGER ZONE

October 9 -11, 2017 San Diego, California

Sponsorship information: Monique dela Cruz

mdelacruz@issa.org

For information on volunteer opportunities which qualify for a discounted or complimentary registration, contact Leah Lewis.

REGISTER ONLINE:www.iplanevents.com/ISSA2017

Before July 15, 2017ISSA member rate: $399Non-member rate: $798

Student rate: $150

July 15, 2017 – October 8, 2017ISSA member rate: $499Non-member rate: $898

Student rate: $150

On Site Rate ISSA member rate: $549Non-member rate: $998

Student rate: $150