Potentially Unwanted Leaks: Social Engineering, Small Missteps, and Big Mistakes

Therefore, you are faced with a situation where you not only have to protect your information but also ensure a third-party is protecting your information. By no means is this an easy task. And if you cannot do that, you need to ensure that you are equipped with the necessary tools to protect against what we’ve been calling “potentially unwanted leaks” (PUL).

In our previous article, we laid the groundwork for what we believe to be a serious threat to ICS/SCADA devices: social engineering. We continue here with some definitions, some of which you may already know. 

Phishing

Phishing is a relatively broad term for any attempt to trick victims into sharing sensitive information, such as passwords, usernames and credit card details. The intent is almost always malicious. Another characteristic of phishing is that it tends to be random, usually exploratory in nature, as opposed to a targeted act. Instead of targeting a specific individual or group of individuals, phishing tends to target multiple victims from within the same organization. Think of phishing as the “throwing spaghetti on the wall and whatever sticks” approach. Continue reading “Potentially Unwanted Leaks: Social Engineering, Small Missteps, and Big Mistakes”

A National Cybersecurity Action Plan is a Serious Priority

We cannot allow this slow economic bleed of our economy to continue. It slows down and even reverses living standards. We simply cannot invest billions into research and development and have it siphoned from us with a few clicks. There is no justifiable reason to let this happen anymore. Smart and competent people have been sounding the alarm bells for some time, but they need more voices to back them.

Expectedly, our cybersecurity issues are growing.  We say expectedly for a variety of factors including, but not limited to: size and scope of breaches, increasing costs that cannot be accurately estimated or predicted, a proliferation of technologies and abilities, and geopolitical tensions. Given current conditions, we do not see a particularly bright future if our current cybersecurity strategy remains more or less constant.

What is our current strategy? In short, it is the accumulation of a lot of expensive toys to hold together decaying infrastructure, along with a healthy dose of the putting aside or worse, ignoring, the basics. In short, we look to more technological solutions, but we avoid the single greatest problem: our decisions. The growing track record of failures demonstrates that this “technology-heavy” approach is not working.

The underlying problem with this strategy is that it is simply untenable unless there is some revolutionary technology that completely changes the landscape. And while we do think artificial intelligence and quantum computing will be game-changing, we do not necessarily believe they will solve all our problems. Poor handling and implementation of these two technologies may, in fact, accelerate our demise. Therefore, we cannot continue to throw what limited resources we have at supposed technological wizardry, fixes, and repairs when the root of our deepest problems are inherently insecure systems, poor maintenance, and social engineering. Continue reading “A National Cybersecurity Action Plan is a Serious Priority”

Five Ways an External Risk Adviser Can Help the Board Solve the Cyber Risk Puzzle

Boards are used to dealing with economic, environmental, geopolitical, societal and even some technological risks. Much like a driver doesn’t need to know the details of how an engine works to safely steer a car through traffic, directors don’t need to have deep expertise in cybersecurity controls and protocols to steer the organization through the minefields of today’s threat landscape.

“At the board level, I don’t think the board can ever dig deep enough to understand what’s going on under the covers.” — The National Association of Corporate Directors (NACD), “The Evolving Relationship Between the General Counsel and the Board.”

Board directors are faced with the nearly insurmountable task of providing adequate oversight of cybersecurity risks. While they are used to dealing with various types of risk, many directors feel uneasy with their own level of understanding and decision-making around cyber risks, and require the expertise of an external risk adviser. Continue reading at SecurityIntelligence.com

Why we need a #Cybersecurity “Moon Shot” Now.

Cybersecurity must be conquered. The United States must do so to preserve peace and seek knowledge, and “it will be the greatest adventure in which man, let alone the United States, has ever engaged.” Let’s conquer cybersecurity today. And not just for ourselves. But for the generations to come.

I often wonder about the legacy that we would leave our children today if all were too suddenly end. Would they be proud of our accomplishments? Would we leave a lasting effect on mankind? Or would our children view our time as a wasted decade (or two)? Meaning we have so much and so many riches. Yet we find no bother in having someone (something/some nation-state) steal them willy-nilly without attribution or consequences? I wonder.

When I was growing up, I idolized these guys, the Mercury Seven astronauts. They represented the best of the best. Our heroes. The men who would make going to the Moon and walking on the moon not only possible, but they would get it done. Period. Failure was not an option. And they did not fail. Continue reading “Why we need a #Cybersecurity “Moon Shot” Now.”

From the Starship Enterprise to Your Enterprise: Eight Cybersecurity Lessons From ‘Star Trek’

Every CEO needs a Spock or a Data. In this era of monthly breaches, the importance of a good cyber risk advisor cannot be overstated. The ultimate decision is yours, Captain, but at least you’ve been forewarned.

Many people in the security industry today grew up watching “Star Trek,” from the original episodes to Next Generation, Deep Space Nine, Voyager, Enterprise and the many other series that followed. In anticipation of the upcoming “Star Trek: Discovery” series, we thought it would be a good time to remind our readers that, beyond the entertainment value, “Star Trek” also provides useful metaphors to help security professionals communicate with executives and fellow staffers.

Eight Cybersecurity Lessons for Your Security Starfleet

When it comes to security, the typical enterprise is really not so different from the USS Enterprise. Without proactive risk management, savvy threat identification and effective incident response, neither a business nor an intergalactic vessel can survive. Below are eight cybersecurity lessons that security professionals can take away from “Star Trek.” Continue reading at SecurityIntelligence.com

No Time for Techno-Babble: Four Key Traits of Quality CISO Reports

Directors are under pressure to ensure that they are dutifully discharging their duties of care and due diligence.

Board directors have very little patience for technical jargon. Given the tremendous pressure executives are under to avoid headline-grabbing data breaches, CISO reports should align enterprise risks with their potential impacts on business objectives in terms that nontechnical board members can easily understand.

An EY report titled “The Evolving Role of the Board in Cybersecurity Risk Oversight” stated that board directors “seek assurances from management that their cyber risk management programs will reduce the risk of attacks and, when necessary, will detect, respond and recover from any attack that does happen.” Continue reading at SecurityIntelligence.com

Incident Response – 3 Takeaways from the Equifax Breach

It’s not about what you do right, as much as what you do not do wrong.

The SecureWorld News Team talked with Shawn Tuma about many of the lessons that can be learned from the Equifax data breach and winnowed it down to the following 3 takeaways that are discussed more thoroughly in the article at SecureWorldExpo.com :

  1. We need a uniform national breach notification law in the United States.
  2. When it comes to data breach response, “[i]t’s not about what you do right, as much as what you do not do wrong.”
  3. A mega breach keeps going, and going, and going.

Main Takeaways for CIOs from the Global C-Suite Study

Technological advances are transforming the way we connect, disrupting the status quo and creating huge turbulence. Industries are converging, and new opportunities and threats are emerging, as never before.

— ­IBM IBV 2016 Global C-suite Study – The CIO Point of View

The pace of change is top of mind for CIOs. We live in an age where technology is nearly obsolete by the time it has been implemented and deployed. Gone are the days of 5-year and 7-year technology deployment plans, instead CIOs must oversee a near-continuous digital transformation of their enterprise, constantly. Add to that the critical nature of today’s technology infrastructure — i.e. can your business run without computers, networks, or the Internet — and you get a good sense for the level of stress CIOs are facing today. Continue reading at IT Biz Advisor

Rising Tides and Higher Stakes – High Performance Counsel Interview with Chuck Brooks

The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency.

What are the new Cybersecurity Stakes – What are vulnerabilities and risks?

We live in world of algorithms; x’s and o’s. Our digital world is ripe for access and compromise by those who want do harm from just a laptop and server. A myriad of recent breaches have demonstrated that as consumers we are becoming more and more dependent upon digital commerce. Our banking accounts, credit cards, and financial daily activities are interconnected. We are all increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals.

In the past year, the employment of ransomware has become a method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities, and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. The recent Wannacry, and Petya attacks were certainly wake up calls to the disruptive implications of ransomware. We can expect to see more such attacks because of the ease of infection and because the vulnerabilities to networks still remain. Continue reading “Rising Tides and Higher Stakes – High Performance Counsel Interview with Chuck Brooks”

Testing Top Leadership’s Muscle Memory With Data Breach Simulations

How would your organization’s leadership fare in its response to a full-on data breach? Regular and ongoing training can improve top leaders’ ability to respond to a cybersecurity breach and avoid doing additional damage to the reputation of the company as they deal with the repercussions.

Organizations simply cannot afford to be lax about their level of preparation to a cybersecurity event: Shareholders, government regulators and consumers won’t be keen on businesses who take a weak approach to cybersecurity. A data breach is something that has to be not simply considered and discussed a couple of times a year, but actively prepared for and drilled against. Obviously, incident response teams must practice and fine-tune their responses on a near-continuous basis, but many organizations don’t realize that executives should do the same. Continue reading at SecurityIntelligence.com