Q&A: George Japak of ICSA Labs Offers Advice around NCSA Month
October 30, 2014
By George Japak, Managing Director, ICSA Labs

This month marks the 11th anniversary of National Cyber Security Awareness Month (NCSAM) where raising awareness about cybersecurity is a top priority for both the public and private sector.  Sponsored by the Department of Homeland Security, in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, NCSAM is a time for the community to come together and engage in public awareness activities and events that stress the importance of cybersafety and that cybersecurity is a shared responsibility.

In this Q&A blog, George Japak, managing director of ICSA Labs and Verizon’s HIPAA security officer, discusses his thoughts on NCSA month and offers important advice to help enterprises and consumers stay vigilant when it comes to cybersecurity.

Q: In the spirit of National Cyber Security Awareness month, what's the one piece of advice you would give to enterprises and individuals to better protect themselves from cyberthreats?

A: Practice security vigilance and be diligent. A number of the data breaches making headlines are attributed to relatively unsophisticated attacks, mainly because enterprises are not implementing good security practices and or maintaining them on a continual basis.

As Verizon’s HIPAA Security Officer, I monitor the nature of many of the healthcare breaches that are reported.  I carefully review the audit findings from the Office for Civil Rights, and, in most cases, the breaches are preventable.  This pattern is clearly evident year after year in the Verizon Data Breach Investigations Report series. 

Q: As a practitioner of security, what keeps you up at night?

A: There’s so much to do and yet so little time. Everyone is challenged these days with balancing priorities against other urgent but equally important issues. There is considerable pressure on budgets and resources so allocating those properly is a balancing act for many IT security professionals.

Understanding risk is an important part of a company’s security program, but combining that with the information an organization possesses along with an analysis of those risks becomes quite challenging. Every entity knows they have security risks to deal with – some can be addressed within a reasonable period of time, while others take lots of time, money and resources.

As a security professional, I, like others in the field, always hear the clock ticking and hope nothing goes wrong until corrective measures can be taken to harden your system(s) and reduce those risks.

I also see a significant lack of uniformity when it comes to supply chain risk management and the discipline around the software development lifecycle (SDLC).  Many of the security vulnerabilities and problems we see today are due to the lack of sound SDLC practices.

At ICSA Labs, we work hard to make enterprises and vendors understand the value proposition of testing and certifications programs and how it is an important part of the procurement process to help reduce risks. We interface with many enterprises and there is a lot of “good faith” placed on security products and services.

We see a number of organizations also get fixated on making sure the product or service doesn’t break anything, as opposed to making sure it is functionally sound and does what it’s intended to do.

Q: Do you think the "good guys" will ever get ahead of the "bad guys" when it comes to cybersecurity?

A: That is a difficult question to answer. We’re seeing the bad guys are more organized than ever and motivated by financial gain rather than notoriety. 

You now have state-orchestrated attacks that can target the very infrastructure of a country and gain access to trade secrets and intellectual property (IP). 

I don’t believe we even know the half of it.

First, a breach has to be recognized and second, the targeted entity has to have a reason for stating that they were subject to such an attack. This is difficult for many entities as there is fear of reputational and brand damage that can be more harmful and impactful than the financial loss.

Q: As the managing director of a security compliance and testing lab, how do you communicate the importance of compliance? Essentially, why is compliance and your certification so critical in mitigating cybersecurity threats?

A: At ICSA Labs, we see the products when they are released to the market. We published a study a few years back that documented our experiences across all the products we tested, and it showed that 96 percent of the products failed in the first round of testing. 

We publicly post the criteria and standards that we test against, so it isn’t a mystery or a secret as to what we examine. For some vendors, what we see is failure in the SDLC process and the quality assurance (QA) function. 

ICSA Labs is an ISO 9001:2008 and 17025:2005 organization, so there is a lot of rigor and discipline to what we do and how we do it. We are also subject to outside audits by Intertek and ANSI/ACLASS.  For example, we just went through what we call “fire drill” exercises on Heartbleed and the BASH vulnerability/Shellshock. Some vendors didn’t have a problem but most of the others had to prepare fixes. Failure to do so can cost the vendor their certification. 

Most enterprises that acquire security technology either don’t have the time, resources or skills to conduct the testing and certification we perform, or the ongoing diligence. Enterprises need to make ICSA Labs certified products part of their due diligence and procurement process, and verify that the selected vendor maintains the certification. That gives them one less thing to worry about and at zero cost to the enterprise.

Q: Outside of financial services, what's the next big battlefield in cyber security? In other words, where do you think criminals will focus their attention? Healthcare, because of healthcare information exchanges? Energy grids? Mobile?

A: There are lots of battlefields – healthcare, energy, mobile and more. From a financial gain and potentially disruptive approach, it will be healthcare without a doubt. It is also one of the most susceptible industries as historic IT spend is higher in other vertical markets such as financial services. While that gap is starting to close, courtesy of regulations like HIPAA and the associated fines and penalties, the gap is still significant. 

Organizations are still struggling to understand how to implement HIPAA security controls. The reality is that HIPAA just wants you to have done the right thing (implemented the right safeguards) from a security perspective - it is not intended to be prescriptive. 

The energy sector has always been a challenge, but was considered somewhat safe due to the closed nature of the infrastructure. That, however, has been changing due to the use of the public Internet and traditional channels of communication. New technologies such as smart meters don’t have security baked into them yet.

Mobile has been an area of focus for ICSA Labs in the last few years. We are testing mobile devices for security and find that the biggest concerns lie in securing mobile applications. There is minimal diligence for commercially available apps, freely downloaded ones, and even those that are custom built by entities to facilitate customer or employee access to company resources. Data is bleeding from your apps nearly every moment…even when you think you have the apps disabled.  

Q: What keeps you excited about the work you are doing?

A: It is the opportunity to make a difference. That is not to say that there aren’t frustrations in security, as there are a lot of them. We feel as though the services we provide at ICSA Labs are of significant and add real value to our stakeholders. These include enterprises that benefit from products and solutions that go through our labs testing and certification process, or the software developer who participates in the program. 

For the software developer, we see a lot of products fail our tests, and it’s encouraging to find those that take the security and functionality of their products seriously and are motivated to correct these problems.

Unfortunately, the bad guys are as organized as they ever were; we see that organized cybercriminals are operating for profit. We’re living in a 21st century battleground where countries are attacking other countries through cyberwarfare. 

The other problem is that trained cybercriminals globally are trying to gain a competitive advantage over the U.S., by trying to obtain the IP of many companies. These challenges are very real and happening everyday, even if they aren’t making the daily news.

I feel good knowing that ICSA Labs plays an important role in improving the products that combat some of today’s biggest cyberthreats. And in my mind, that’s very rewarding.

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.