Controlling Your Cyber Supply Chain

We don’t have “hall monitors” walking around our offices checking for fires. It’s something all persons of the organization have a watch out for (in large part, because of personal safety). Well, if your company goes bankrupt because all its IP has been stolen, I think that impacts your personal safety. So, start a program of being “security smart” within your organization.

Back in September, I wrote a piece that questioned whether or not you trust your network. As an extension to that piece, this piece focuses on your cyber supply chain.

Let’s begin with this simple premise: you may never fully know who is a part of your cyber supply chain. Why do I say that?  It is because it is exactly impossible for you to have a watchful eye on all parts of the supply chain. It would be a full time job for you. In my view, the only entity that could have full control of their cyber supply chain is a government (emphasis on could because even for a government full control of the cyber supply chain could be an incredibly difficult and expensive proposition).

If you accept that simple premise, then by extension, you will have no problem accepting this one as well: the probability of you being breached is greater than zero.

If you are with me so far, this is excellent. It means you have not bought a bag of magical beans from vendors or consultants who are already preaching to you that you are on the way to the cyber secure promised land. Continue reading “Controlling Your Cyber Supply Chain”

A National Cybersecurity Action Plan is a Serious Priority

We cannot allow this slow economic bleed of our economy to continue. It slows down and even reverses living standards. We simply cannot invest billions into research and development and have it siphoned from us with a few clicks. There is no justifiable reason to let this happen anymore. Smart and competent people have been sounding the alarm bells for some time, but they need more voices to back them.

Expectedly, our cybersecurity issues are growing.  We say expectedly for a variety of factors including, but not limited to: size and scope of breaches, increasing costs that cannot be accurately estimated or predicted, a proliferation of technologies and abilities, and geopolitical tensions. Given current conditions, we do not see a particularly bright future if our current cybersecurity strategy remains more or less constant.

What is our current strategy? In short, it is the accumulation of a lot of expensive toys to hold together decaying infrastructure, along with a healthy dose of the putting aside or worse, ignoring, the basics. In short, we look to more technological solutions, but we avoid the single greatest problem: our decisions. The growing track record of failures demonstrates that this “technology-heavy” approach is not working.

The underlying problem with this strategy is that it is simply untenable unless there is some revolutionary technology that completely changes the landscape. And while we do think artificial intelligence and quantum computing will be game-changing, we do not necessarily believe they will solve all our problems. Poor handling and implementation of these two technologies may, in fact, accelerate our demise. Therefore, we cannot continue to throw what limited resources we have at supposed technological wizardry, fixes, and repairs when the root of our deepest problems are inherently insecure systems, poor maintenance, and social engineering. Continue reading “A National Cybersecurity Action Plan is a Serious Priority”

Here’s How to Make Patching Security Holes Easier For Everyone

We’re realists. That’s why we propose this interim solution: making patching and protecting all American devices easy, especially for the individual. If nothing else, it hopefully can stimulate a culture change in our cybersecurity behavior.

A lot has been said recently about patching and what role it plays in cybersecurity. A patch is just a small piece of software, made available to the consumer from the software company that “patches” a security flaw in the software. That’s all. But these patches, when installed, can save you a world of hurt.

Many of the worst breaches we have seen could have been avoided if patches were installed in a timely manner. Before we start getting flak that patching for an entire enterprise is not some “flick of the switch” easy procedure, we’re on your side. We agree with you. You need a system in place so you can roll out these patches on all devices within your enterprise. The biggest problem for enterprise-sized organizations is not so much installing the patches but managing the logistics behind patching an entire system. It’s more project management than anything, so you need to find what is right for you and your organization. Continue reading “Here’s How to Make Patching Security Holes Easier For Everyone”

Cybersecurity: A fiduciary duty

This plague has only increased and has prompted much research and writing on cybersecurity best practices (including by us) settling on, at the very least, one or more best practices designed to lessen (if not entirely mitigate) the effects of ransomware.

The recent WannaCry ransomware exploit brought into full view several factors that terrify many companies and their boards of directors. Why? Because these directors are charged with the fiduciary duty of overseeing the cyber risk preparations and defences of their companies for their shareholders.

In today’s environment, this presents quite a challenge for companies and boards alike. Security has always been a challenge because the defender must be right 100 per cent of the time and an attacker needs only one lucky shot. Effective cyberattacks can involve factors, such as:

1. A ‘zero-day’ or previously unknown software exploit (or vulnerability) that even advanced IT departments could not have reasonably planned for

2. An exploit that encrypts files when enabled or executed, and will not give the files back unless a ransom is paid

3. A public relations nightmare trying to explain to third parties, regulators (and in the case of WannaCry, hospital patients) why service levels dropped (i.e. evaporated) due to lack of properly segmented back-up recovery media and/or less than rigorous implementation of standard patches for older operating systems. Continue reading “Cybersecurity: A fiduciary duty”

ICS/SCADA Devices, The Threat to Critical Infrastructure, and Social Engineering

The threat which concerns us most is effectively preying on humans, our concern is warranted. And that is why we feel that the biggest problem the power grid faces today is phishing, spear-phishing, and pretexting, all of which we will define in this set of articles.

Do you go fishing? You may or may not, but we see far too much phishing going on in the Internet ocean, and it scares us. The risk of over-phishing is not necessarily our concern. Our concern rests in that phishing is so easy, and big fat phish of this Internet ocean are getting gobbled up. And that’s not good for us because many of us don’t really know what is in the ocean, like critical infrastructure (CI).

As the title suggests, our biggest concern as it relates to ICS/SCADA connected devices is us. We are an incredible vulnerability to CI, and seeing as though everything we depend on runs on some form of CI, its best we protect it.

Let’s start with some basics. Our CI is for the most part old. Devices are stuck with legacy software and cannot be updated or patched because they are simply too old and out-of-date are a potential problem, as these systems have vulnerabilities that hackers can take advantage of. Yes, there is a flip side to the argument here that some of these systems are so old they cannot be hacked or are extremely difficult to be hack, as is the case in the US nuclear system. (But don’t think for a moment that nobody is trying!)

Continue reading “ICS/SCADA Devices, The Threat to Critical Infrastructure, and Social Engineering”

Five Ways an External Risk Adviser Can Help the Board Solve the Cyber Risk Puzzle

Boards are used to dealing with economic, environmental, geopolitical, societal and even some technological risks. Much like a driver doesn’t need to know the details of how an engine works to safely steer a car through traffic, directors don’t need to have deep expertise in cybersecurity controls and protocols to steer the organization through the minefields of today’s threat landscape.

“At the board level, I don’t think the board can ever dig deep enough to understand what’s going on under the covers.” — The National Association of Corporate Directors (NACD), “The Evolving Relationship Between the General Counsel and the Board.”

Board directors are faced with the nearly insurmountable task of providing adequate oversight of cybersecurity risks. While they are used to dealing with various types of risk, many directors feel uneasy with their own level of understanding and decision-making around cyber risks, and require the expertise of an external risk adviser. Continue reading at SecurityIntelligence.com

Why we need a #Cybersecurity “Moon Shot” Now.

Cybersecurity must be conquered. The United States must do so to preserve peace and seek knowledge, and “it will be the greatest adventure in which man, let alone the United States, has ever engaged.” Let’s conquer cybersecurity today. And not just for ourselves. But for the generations to come.

I often wonder about the legacy that we would leave our children today if all were too suddenly end. Would they be proud of our accomplishments? Would we leave a lasting effect on mankind? Or would our children view our time as a wasted decade (or two)? Meaning we have so much and so many riches. Yet we find no bother in having someone (something/some nation-state) steal them willy-nilly without attribution or consequences? I wonder.

When I was growing up, I idolized these guys, the Mercury Seven astronauts. They represented the best of the best. Our heroes. The men who would make going to the Moon and walking on the moon not only possible, but they would get it done. Period. Failure was not an option. And they did not fail. Continue reading “Why we need a #Cybersecurity “Moon Shot” Now.”

The #CyberAvengers Playbook

The Non-Technical, No Nonsense Guide For Directors, Officers, and General Counsels

Cybersecurity, as many organizations practice it today, is broken. Everybody is feeling the pressure as competitors and partners alike dread a breach. Leadership can’t be left in the dark due to technobabble, a lack of resources, or excuses as to why cyber risk cannot be measured.

FireEye is proud to support the new eBook, The #CyberAvengers Playbook: Doing the Little Things (and Some of the Big Things) Well (2017 Edition). This short guide is designed to give you actionable items that could help any organization improve its cybersecurity posture.

Download the eBook and pick up the following tips from the #CyberAvengers:

  • Oversight duties: Learn to view risk from an enterprise perspective in an era where accountability and fallout costs are surely going to grow.
  • Cyber risk: Why it matters and how to wisely spend your limited resources.
  • Communication gaps: Cybersecurity is not an IT-only issue, so do not be afraid to speak your mind. We show you which questions to ask.
  • Response and continuity: Even the best-tested plans can go out the window during a time of crisis. Learn to minimize the fallout.
  • What’s happening in 2017 and what to expect in 2018: From the ransomware scare to the General Data Protection Regulation (GDPR) coming into effect, business is becoming more expensive. We try to help you save wherever you can.

From the Starship Enterprise to Your Enterprise: Eight Cybersecurity Lessons From ‘Star Trek’

Every CEO needs a Spock or a Data. In this era of monthly breaches, the importance of a good cyber risk advisor cannot be overstated. The ultimate decision is yours, Captain, but at least you’ve been forewarned.

Many people in the security industry today grew up watching “Star Trek,” from the original episodes to Next Generation, Deep Space Nine, Voyager, Enterprise and the many other series that followed. In anticipation of the upcoming “Star Trek: Discovery” series, we thought it would be a good time to remind our readers that, beyond the entertainment value, “Star Trek” also provides useful metaphors to help security professionals communicate with executives and fellow staffers.

Eight Cybersecurity Lessons for Your Security Starfleet

When it comes to security, the typical enterprise is really not so different from the USS Enterprise. Without proactive risk management, savvy threat identification and effective incident response, neither a business nor an intergalactic vessel can survive. Below are eight cybersecurity lessons that security professionals can take away from “Star Trek.” Continue reading at SecurityIntelligence.com

3 keys to responding intelligently, publicly to a cyberattack

Much the same way you wouldn’t go do a podiatrist for your dental issues (despite increased cases of foot-in-mouth syndrome, particularly over social media), you shouldn’t be using real estate counsel to handle a cyber breach.

Intelligent responses depend on three elements:

  1. Incident Response Planning
  2. Business Continuity Planning
  3. Crisis Communication Planning

There are numerous articles and memos deal with the topic of incident response, business continuity, and crisis communication plans. Many have been distributed through media outlets even. So you may be asking: why us, why now, and what more could we possible offer in this space?

Continue reading “3 keys to responding intelligently, publicly to a cyberattack”