I think government is traditionally been way behind on procurement issues and recently, enactment of legislation for modernization has taken place. They’re trying to replace a lot of legacy systems.
Our guest today was recently named by LinkedIn as one of the top five people to follow in cybersecurity issues among their 500 million members. He was also just selected as LinkedIn to be an advisor on cybersecurity and emerging technology issues, and we’re lucky enough to have him here in the studio– Chuck Brooks of Chuck Brooks Consulting. Chuck, thanks for joining us. Continue reading “Local LinkedIn pick as cybersecurity guru talks trends”
If you’re unsure an email is legitimate, take the 30 seconds to call your colleague, friend, or family member and say, “did you really send me this?” That call could save you millions of dollars, your job, and avoid an avalanche of bad PR.
In our previous article, we started to lay out some important social engineering terms, such as phishing, spear-phishing and pretexting. We even introduced to you what we call “Potentially Unwanted Leaks” (PUL) as tidbits of information that, when out in the wild, become valuable nuggets to be used against you in a social engineering attack.
This last installment in our ICS/SCADA series shows how social engineering was used to cause a blackout, the first known case of a cyberattack being directly responsible for a power outage.
On December 23, 2015, at 3:35 pm local time, in Ivano-Frankivsk Oblast (a southwestern region of the Ukraine that borders Romania and is in close proximity to the borders of Hungary, Slovakia, and Poland), seven 110 kV and twenty-three 35kV substations were disconnected for three hours.
The power outage, which took out 30 substations, could have impacted up to three different energy distribution companies, causing 225,000 customers to lose power. Shortly thereafter, Ukraine’s SBU state security service responded by blaming Russia, not an unreasonable assertion given that plenty of lead time was required to conduct this operation.
How was this allowed to happen? Continue reading “Attacks to Critical Infrastructure Are Real, & They Can be Incredibly Easy”
There has never been a better time to understand the linkage between cyber risks, business strategy and performance, and to ensure that at all levels of the organizations are making the best decisions possible — for both today’s world and tomorrow’s cyber earthquakes.
This past September, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued an updated enterprise risk management (ERM) framework, titled “Enterprise Risk Management — Integrating with Strategy and Performance,” to help business leaders understand the risks their organizations face and evaluate their impact on business performance.
While the COSO ERM guidance is designed to simplify risk management at an enterprise level, organizations can derive even more value from the framework by coupling it with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which is geared more toward day-to-day, ground-level risk management. Continue reading at SecurityIntelligence.com
On a more serious note, the COSO ERM also underscores the relationship between risk and value. It elevates the discussion of strategy and risk, looking at the possibility that strategy and business objectives are not in strong alignment with the organizational mission, vision and values. It allows for deep insight into the implications of the various strategies that management is contemplating and the risks that stem from executing a chosen strategy.
If oversight of cyber risks was trivial, it wouldn’t be an issue anymore. But it is still an issue because cyber risks are a business concern, and making smart business decisions is a nontrivial issue.
In September 2017, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued an updated enterprise risk management (ERM) framework, titled “Enterprise Risk Management — Integrating with Strategy and Performance,” to help business leaders understand and prioritize the risks their organizations face and measure how these risks impact business performance. Continue reading at SecurityIntelligence.com
Think Equifax. Think Uber. Now think about how to notify those tens and hundreds of millions within 72 hours. That is the sort of headache you are going to have to deal with.
There is a lot of talk about the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679). And rightly so, because it will impact a great many organizations, many of which reside in the U.S. Set to come fully into effect May 25, 2018, the GDPR has understandably caused a lot of headaches because it is wide-sweeping and costly regulation, especially if you are in violation.
Clearly, the first question to ask is if the GDPR applies to you. If it doesn’t, you are in the clear (but that is not an excuse to relax your data protection measures). If it does, well, you have work to do if you haven’t been on top of your GDPR compliance. This is especially true if you are a big organization, are not based in the EU, and have a lot of EU customers and clients. Continue reading “An Eye on GDPR”
Market forces are at play here, and with a global market, it’s tough to control what gets built, to what specifications, and then find an appropriate way to share that information with potential buyers.
Perspectives From 3 Of The Top SMEs In Information Security
As we approach the new year, I, Chuck Brooks, am very pleased to have a discussion with four of the most prominent technical SMEs in the world of cybersecurity; Kenneth Holley, George Platsis, and Christophe Veltsos. Their answers that follow offer practitioner perspectives and advice on some of the key issues and technologies that encompass the future of information security. It is worthwhile keeping their comments as a source reference for the C-Suite and anyone concerned about protecting their identities and data. Continue reading “2018 & Beyond – Cybersecurity’s Future”
And one from the #CyberAvengers all on Forbes
Attacks on the US government and critical infrastructure
A nation-state sponsored group will commence a 5-day long DDoS attack against a critical US government (non-DoD) agency, shutting it down in order to show their strength—The Cyber Avengers
Read the entire list on Forbes
We cannot allow this slow economic bleed of our economy to continue. It slows down and even reverses living standards. We simply cannot invest billions into research and development and have it siphoned from us with a few clicks. There is no justifiable reason to let this happen anymore. Smart and competent people have been sounding the alarm bells for some time, but they need more voices to back them.
Expectedly, our cybersecurity issues are growing. We say expectedly for a variety of factors including, but not limited to: size and scope of breaches, increasing costs that cannot be accurately estimated or predicted, a proliferation of technologies and abilities, and geopolitical tensions. Given current conditions, we do not see a particularly bright future if our current cybersecurity strategy remains more or less constant.
What is our current strategy? In short, it is the accumulation of a lot of expensive toys to hold together decaying infrastructure, along with a healthy dose of the putting aside or worse, ignoring, the basics. In short, we look to more technological solutions, but we avoid the single greatest problem: our decisions. The growing track record of failures demonstrates that this “technology-heavy” approach is not working.
The underlying problem with this strategy is that it is simply untenable unless there is some revolutionary technology that completely changes the landscape. And while we do think artificial intelligence and quantum computing will be game-changing, we do not necessarily believe they will solve all our problems. Poor handling and implementation of these two technologies may, in fact, accelerate our demise. Therefore, we cannot continue to throw what limited resources we have at supposed technological wizardry, fixes, and repairs when the root of our deepest problems are inherently insecure systems, poor maintenance, and social engineering. Continue reading “A National Cybersecurity Action Plan is a Serious Priority”
Frank Abagnale, one of the world’s most respected authorities on the subjects of forgery, embezzlement, cybercrime, and secure documents succinctly states the troubling environment. “The police can’t protect consumers. People need to be more aware and educated about identity theft. You need to be a little bit wiser, a little bit smarter and there’s nothing wrong with being skeptical. We live in a time when if you make it easy for someone to steal from you, someone will.” There are many malicious actors out in the digital landscape and it will be increasingly important to stay ever vigilant.
Email interview held on 30th September 2017 – as follows between Alan Radley (questioner) and Chuck Brooks (relator):
- What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?
The current state is a scary one. Constant breaches have demonstrated that as consumers we are becoming more and more dependent upon digital commerce. Our banking accounts, credit cards, and financial daily activities are interconnected. We are all increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals.
In the past year, the employment of ransomware has become a method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities, and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. The recent Wannacry, and Petya attacks were certainly wake up calls to the disruptive implications of ransomware. We can expect to see more such attacks because of the ease of infection and because the vulnerabilities to networks still remain. Continue reading “Science of Cybersecurity Interview with Chuck Brooks”
This plague has only increased and has prompted much research and writing on cybersecurity best practices (including by us) settling on, at the very least, one or more best practices designed to lessen (if not entirely mitigate) the effects of ransomware.
The recent WannaCry ransomware exploit brought into full view several factors that terrify many companies and their boards of directors. Why? Because these directors are charged with the fiduciary duty of overseeing the cyber risk preparations and defences of their companies for their shareholders.
In today’s environment, this presents quite a challenge for companies and boards alike. Security has always been a challenge because the defender must be right 100 per cent of the time and an attacker needs only one lucky shot. Effective cyberattacks can involve factors, such as:
1. A ‘zero-day’ or previously unknown software exploit (or vulnerability) that even advanced IT departments could not have reasonably planned for
2. An exploit that encrypts files when enabled or executed, and will not give the files back unless a ransom is paid
3. A public relations nightmare trying to explain to third parties, regulators (and in the case of WannaCry, hospital patients) why service levels dropped (i.e. evaporated) due to lack of properly segmented back-up recovery media and/or less than rigorous implementation of standard patches for older operating systems. Continue reading “Cybersecurity: A fiduciary duty”