Ask Yourself: Why Do You Amass Data?

Remember: the system worked exactly as it was designed to. Some don’t like the fact that Bob had access to the data. But keep this mind: it’s quite possible that we haven’t yet heard of an Alice, Joe, and Sally who had access to similar, or even more, data

Unless you have been living under a rock, you may have noticed that a growing number of people are not too pleased with Facebook and Alphabet Inc., parent of Google and developers of the mobile operating system, Android.

What started the recent frustrations are the revelations from an employee of Cambridge Analytica and how the company harvested information from 50 million Facebook users.  I want to skip over the part about how the data was used, because that’s the fog in this storm and the distraction is entering “funny cat video” territory.

Where we should be focusing our thinking is here: that the data was harvested in the first place, in one central repository.  That’s the issue. Continue reading “Ask Yourself: Why Do You Amass Data?”

The Principles of a Safe Secure & Intelligent (S2I) Communications System

And that’s it. That is the entire basis for developing these principles, the rules of the road, these guiding lights, so that we can protect these systems we so dearly rely on.

What is a principle? The “know all” (aka, Google) tells us a principle is: “a fundamental truth or proposition that serves as the foundation for a system of belief or behavior or for a chain of reasoning.”

What is a communication system? The other “know all” (aka, Wikipedia) tells us a communication system is: “In telecommunication, a communications system is a collection of individual communications networks, transmission systems, relay stations, tributary stations, and data terminal equipment usually capable of interconnection and interoperation to form an integrated whole.” Continue reading “The Principles of a Safe Secure & Intelligent (S2I) Communications System”

Calculating the Costs of a Cyber Breach: Becoming the “Antifragile” Cyber Organization

What is worrying us is the intangible like human interaction with and dependence on machines, human decision-making…In this space, we actually feel we are doing the opposite of getting better; instead, we are getting worse. We are becoming even more fragile.

The 2017 Ponemon Institute Cost of a Data Breach Study found that the cost of a data breach is going down, but the size of a data breach is going up.” Additional key findings included the following:

  • The average total cost of a data breach decreased from $4.00 to $3.62 million.
  • The average cost for each lost or stolen record containing sensitive and confidential information also decreased from $158 in 2016 to $141. (The strong USD played a role in reducing the costs.)
  • The average size of the data breaches investigated in the research increased 1.8 percent.

Okay, so what does all that mean? Good news? Bad news? Mixed news?

Continue reading “Calculating the Costs of a Cyber Breach: Becoming the “Antifragile” Cyber Organization”

Four Key Lessons From NACD’s ‘2018 Governance Outlook’ About Managing Cyber Risks

“Being ‘secure’ is not a static end state that lends itself to inflexible compliance checklists; it requires a constant evaluation of risk relative to a rapidly evolving cyberthreat landscape.”

In mid-December 2017, the National Association of Corporate Directors (NACD) published its “2018 Governance Outlook: Projections on Emerging Board Matters” report, designed to highlight key areas of focus for board directors in 2018. It also offered recommendations for improving enterprise risks, including a section dedicated to cyber risks.

Four Key Takeaways From the NACD ‘s ‘2018 Governance Outlook’

The report — and the underlying NACD Public Company Governance Survey — found that only 49 percent of board directors are confident about management’s ability to effectively handle cyber risks. In the same vein, since there are increasing calls for cyber risks to be integrated within the enterprise risk management (ERM) system, 58 percent said it was important or very important for their boards to improve oversight of risk management in the coming year. Continue reading at SecurityIntelligence.com

Treat Your Data Like Cash

Information is just another form of currency (arguably, the most valuable), which is why if you believe in the old saying “cash is king” then we should really start thinking “data is king” also.

How annoyed are you when you find out you lost some cash?  Whether it is a few bucks in your jeans pocket or that “emergency stash” under the mattress, losing that “cold hard cash” is a feeling that always twists your stomach.  Sometimes you blame yourself.  Sometimes you blame others.  Depending on the amount lost, your emotions could range from the standard “how could I be so stupid?” to a profanity-laced tirade that is not suitable for print here.

Question: do you feel the same way when you experience credit card fraud?  My instinct is that while you would feel some sort of violation and negative feelings, it’s just not “the same” as losing cash. Continue reading “Treat Your Data Like Cash”

2018 & Beyond – Cybersecurity’s Future

Market forces are at play here, and with a global market, it’s tough to control what gets built, to what specifications, and then find an appropriate way to share that information with potential buyers.

Perspectives From 3 Of The Top SMEs In Information Security

As we approach the new year, I, Chuck Brooks, am very pleased to have a discussion with four of the most prominent technical SMEs in the world of cybersecurity; Kenneth Holley, George Platsis,  and Christophe Veltsos.  Their answers that follow offer practitioner perspectives and advice on some of the key issues and technologies that encompass the future of information security. It is worthwhile keeping their comments as a source reference for the C-Suite and anyone concerned about protecting their identities and data. Continue reading “2018 & Beyond – Cybersecurity’s Future”

60 Cybersecurity Predictions For 2018

And one from the #CyberAvengers all on Forbes

Attacks on the US government and critical infrastructure

A nation-state sponsored group will commence a 5-day long DDoS attack against a critical US government (non-DoD) agency, shutting it down in order to show their strength—The Cyber Avengers

Read the entire list on Forbes

Controlling Your Cyber Supply Chain

We don’t have “hall monitors” walking around our offices checking for fires. It’s something all persons of the organization have a watch out for (in large part, because of personal safety). Well, if your company goes bankrupt because all its IP has been stolen, I think that impacts your personal safety. So, start a program of being “security smart” within your organization.

Back in September, I wrote a piece that questioned whether or not you trust your network. As an extension to that piece, this piece focuses on your cyber supply chain.

Let’s begin with this simple premise: you may never fully know who is a part of your cyber supply chain. Why do I say that?  It is because it is exactly impossible for you to have a watchful eye on all parts of the supply chain. It would be a full time job for you. In my view, the only entity that could have full control of their cyber supply chain is a government (emphasis on could because even for a government full control of the cyber supply chain could be an incredibly difficult and expensive proposition).

If you accept that simple premise, then by extension, you will have no problem accepting this one as well: the probability of you being breached is greater than zero.

If you are with me so far, this is excellent. It means you have not bought a bag of magical beans from vendors or consultants who are already preaching to you that you are on the way to the cyber secure promised land. Continue reading “Controlling Your Cyber Supply Chain”

Potentially Unwanted Leaks: Social Engineering, Small Missteps, and Big Mistakes

Therefore, you are faced with a situation where you not only have to protect your information but also ensure a third-party is protecting your information. By no means is this an easy task. And if you cannot do that, you need to ensure that you are equipped with the necessary tools to protect against what we’ve been calling “potentially unwanted leaks” (PUL).

In our previous article, we laid the groundwork for what we believe to be a serious threat to ICS/SCADA devices: social engineering. We continue here with some definitions, some of which you may already know. 

Phishing

Phishing is a relatively broad term for any attempt to trick victims into sharing sensitive information, such as passwords, usernames and credit card details. The intent is almost always malicious. Another characteristic of phishing is that it tends to be random, usually exploratory in nature, as opposed to a targeted act. Instead of targeting a specific individual or group of individuals, phishing tends to target multiple victims from within the same organization. Think of phishing as the “throwing spaghetti on the wall and whatever sticks” approach. Continue reading “Potentially Unwanted Leaks: Social Engineering, Small Missteps, and Big Mistakes”

A National Cybersecurity Action Plan is a Serious Priority

We cannot allow this slow economic bleed of our economy to continue. It slows down and even reverses living standards. We simply cannot invest billions into research and development and have it siphoned from us with a few clicks. There is no justifiable reason to let this happen anymore. Smart and competent people have been sounding the alarm bells for some time, but they need more voices to back them.

Expectedly, our cybersecurity issues are growing.  We say expectedly for a variety of factors including, but not limited to: size and scope of breaches, increasing costs that cannot be accurately estimated or predicted, a proliferation of technologies and abilities, and geopolitical tensions. Given current conditions, we do not see a particularly bright future if our current cybersecurity strategy remains more or less constant.

What is our current strategy? In short, it is the accumulation of a lot of expensive toys to hold together decaying infrastructure, along with a healthy dose of the putting aside or worse, ignoring, the basics. In short, we look to more technological solutions, but we avoid the single greatest problem: our decisions. The growing track record of failures demonstrates that this “technology-heavy” approach is not working.

The underlying problem with this strategy is that it is simply untenable unless there is some revolutionary technology that completely changes the landscape. And while we do think artificial intelligence and quantum computing will be game-changing, we do not necessarily believe they will solve all our problems. Poor handling and implementation of these two technologies may, in fact, accelerate our demise. Therefore, we cannot continue to throw what limited resources we have at supposed technological wizardry, fixes, and repairs when the root of our deepest problems are inherently insecure systems, poor maintenance, and social engineering. Continue reading “A National Cybersecurity Action Plan is a Serious Priority”