The Principles of a Safe Secure & Intelligent (S2I) Communications System

And that’s it. That is the entire basis for developing these principles, the rules of the road, these guiding lights, so that we can protect these systems we so dearly rely on.

What is a principle? The “know all” (aka, Google) tells us a principle is: “a fundamental truth or proposition that serves as the foundation for a system of belief or behavior or for a chain of reasoning.”

What is a communication system? The other “know all” (aka, Wikipedia) tells us a communication system is: “In telecommunication, a communications system is a collection of individual communications networks, transmission systems, relay stations, tributary stations, and data terminal equipment usually capable of interconnection and interoperation to form an integrated whole.” Continue reading “The Principles of a Safe Secure & Intelligent (S2I) Communications System”

Local LinkedIn pick as cybersecurity guru talks trends

I think government is traditionally been way behind on procurement issues and recently, enactment of legislation for modernization has taken place. They’re trying to replace a lot of legacy systems.

Our guest today was recently named by LinkedIn as one of the top five people to follow in cybersecurity issues among their 500 million members. He was also just selected as LinkedIn to be an advisor on cybersecurity and emerging technology issues, and we’re lucky enough to have him here in the studio– Chuck Brooks of Chuck Brooks Consulting. Chuck, thanks for joining us. Continue reading “Local LinkedIn pick as cybersecurity guru talks trends”

Treat Your Data Like Cash

Information is just another form of currency (arguably, the most valuable), which is why if you believe in the old saying “cash is king” then we should really start thinking “data is king” also.

How annoyed are you when you find out you lost some cash?  Whether it is a few bucks in your jeans pocket or that “emergency stash” under the mattress, losing that “cold hard cash” is a feeling that always twists your stomach.  Sometimes you blame yourself.  Sometimes you blame others.  Depending on the amount lost, your emotions could range from the standard “how could I be so stupid?” to a profanity-laced tirade that is not suitable for print here.

Question: do you feel the same way when you experience credit card fraud?  My instinct is that while you would feel some sort of violation and negative feelings, it’s just not “the same” as losing cash. Continue reading “Treat Your Data Like Cash”

How Courts & Attorneys View ‘Reasonable Cybersecurity’ in 2018

Does your company truly care about cybersecurity, or is it just going through the motions and asking you to check off the boxes?

Cybersecurity attorney Shawn Tuma tells us that courts and attorneys are getting pretty good at determining the difference—which can impact the cost of litigation in a major way after a cyber incident.

It is 2018 and you must be able to show your work toward “reasonable cybersecurity.” In part 1 of this report, Tuma shared the high-level answer to what “reasonable cybersecurity” is. Now, in part 2, he offers specifics on what you must be doing, at a minimum, to secure your business.

Continue reading to watch the video. Continue reading “How Courts & Attorneys View ‘Reasonable Cybersecurity’ in 2018”

What Is Reasonable Cybersecurity?

But what, exactly, is the standard for reasonable cybersecurity? What does that look like or feel like within an organization?

The term “reasonable cybersecurity” gets batted around all the time.

We’ve heard InfoSec leaders talking about it at SecureWorld cybersecurity conferences across the United States.

And we know that if you have it, it can help limit liability damages after a breach.

We asked well-known cybersecurity attorney Shawn Tuma, of Scheef & Stone, LLP, what you should be aiming for in 2018. Here is his 90-second answer:  Continue reading “What Is Reasonable Cybersecurity?”

Five New Year’s Resolutions to Help CISOs Improve Enterprise Security in 2018

As we turn the page to 2018, organizations and their CISOs should commit to improving the way they consider, manage, communicate and respond to cybersecurity issues. That means introducing cognitive technology into the security environment, educating top leadership about cyber risks, promoting a culture of security awareness throughout all levels of the organization, conducting data breach simulations and tabletop exercises to hone incident response capabilities, and measuring the progress and maturity of security activities.

If you survived 2017 — a year full of data breaches, ransomware, distributed denial-of-service (DDoS) attacks and a multitude of other high-profile security incidents — you deserve a pat on the back. Some of us weathered the storm thanks to our careful preparations, the security controls we deployed, the incident response strategies we practiced and the recovery mechanisms we put in place. The rest of us can thank our lucky stars that things didn’t turn out for the worse.

Five Enterprise Security Resolutions for 2018

No matter how you navigated the treacherous threat landscape during the past year, it’s time for all of us in information security to make our New Year’s resolutions. If you’d rather not leave the fate of your organization to luck in 2018, here are five resolutions for chief information security officers (CISOs) to apply in the new year. Continue reading at SecurityIntelligence.com

Long Road Ahead or Unbridgeable Chasm? Lessons From the EY ‘Global Information Security Survey’

In many organizations, the executives need to increase the frequency and quality of interactions with the CISO and adopt a more hands-on approach to improving the way cyber risks are managed and governed. In companies where the cybersecurity function still reports to IT, dotted lines of reporting should be created to ensure direct access to top leadership.

If it appears to you that 2017 was a dismal year for cybersecurity, join the club: According to the latest edition of EY’s “Global Information Security Survey,” most security leaders feel they are more at risk today than they were 12 months ago.

The report surveyed chief information officers (CIOs), chief information security officers (CISOs) and other executives from 1,200 organizations around the world. More than 50 percent of survey responses came from small and midsized organizations with fewer than 2,000 employees. Although the top five sectors by respondents were banking and capital markets, consumer products and retail, government, insurance, and technology, other sectors, such as health, power and utilities, and real estate, were also included.

The report shed light on the state of cybersecurity and resilience, which is especially relevant since the global cost of cybersecurity breaches is estimated to reach $6 trillion by 2021. Cyberattacks are becoming more sophisticated, and new and disruptive technologies such as the Internet of Things (IoT) are rapidly increasing the level of connectedness across organizations, thus increasing the attack surface. Continue reading at SecurityIntelligence.com

Attacks to Critical Infrastructure Are Real, & They Can be Incredibly Easy

If you’re unsure an email is legitimate, take the 30 seconds to call your colleague, friend, or family member and say, “did you really send me this?” That call could save you millions of dollars, your job, and avoid an avalanche of bad PR.

In our previous article, we started to lay out some important social engineering terms, such as phishing, spear-phishing and pretexting. We even introduced to you what we call “Potentially Unwanted Leaks” (PUL) as tidbits of information that, when out in the wild, become valuable nuggets to be used against you in a social engineering attack.

This last installment in our ICS/SCADA series shows how social engineering was used to cause a blackout, the first known case of a cyberattack being directly responsible for a power outage.

On December 23, 2015, at 3:35 pm local time, in Ivano-Frankivsk Oblast (a southwestern region of the Ukraine that borders Romania and is in close proximity to the borders of Hungary, Slovakia, and Poland), seven 110 kV and twenty-three 35kV substations were disconnected for three hours.

The power outage, which took out 30 substations, could have impacted up to three different energy distribution companies, causing 225,000 customers to lose power. Shortly thereafter, Ukraine’s SBU state security service responded by blaming Russia, not an unreasonable assertion given that plenty of lead time was required to conduct this operation.

How was this allowed to happen? Continue reading “Attacks to Critical Infrastructure Are Real, & They Can be Incredibly Easy”

Emerging Technologies and the Cyber Threat Landscape

Nothing is completely un-hackable, but there is a myriad of emerging technologies that can help us navigate the increasingly malicious cyber threat landscape.

Cybersecurity is at a tipping point, the sheer volume of breaches, attacks, and threats has become overwhelming.  Juniper Research, suggests that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019. About 1.9 billion data records got exposed in the 918 data breaches that occurred in the first half of 2017—up 164 percent from the last half of 2016. According to a recent AT&T Cybersecurity Insights report, some 80 percent of the IT and security executives surveyed said their organizations came under attack during the previous 12 months.

This rising threat trend, coupled with the rapid growth of sophistication in malware, ransomware, DDoS, and social engineering attacks has created a conundrum. How do we protect ourselves in an increasingly connected world? Continue reading “Emerging Technologies and the Cyber Threat Landscape”

An Eye on GDPR

Think Equifax. Think Uber. Now think about how to notify those tens and hundreds of millions within 72 hours. That is the sort of headache you are going to have to deal with.

There is a lot of talk about the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679).  And rightly so, because it will impact a great many organizations, many of which reside in the U.S.  Set to come fully into effect May 25, 2018, the GDPR has understandably caused a lot of headaches because it is wide-sweeping and costly regulation, especially if you are in violation.

Clearly, the first question to ask is if the GDPR applies to you. If it doesn’t, you are in the clear (but that is not an excuse to relax your data protection measures).  If it does, well, you have work to do if you haven’t been on top of your GDPR compliance. This is especially true if you are a big organization, are not based in the EU, and have a lot of EU customers and clients. Continue reading “An Eye on GDPR”