Cybersecurity Starts With Basics

I start from this premise: we have finite resources. I do not think anybody serious would disagree with me on this premise. Therefore, let us be smart about how we use these resources. And part of being smart is asking the right questions and knowing the basics.

One undeniable fact: the 2016 elections brought the word “cybersecurity” into the mainstream.  The problem that stemmed from that fact: nobody is actually sure what “cybersecurity” is.  And as a result, we spin our wheels or head off into differing directions.

For all the tech talk, commentary, and promise of some incredible “save you from all cyber threats” solution, lost in the conversation are the cybersecurity basics.  It is a disservice to all when pundits use words, such as hack and leak, interchangeably.  Those who have a more informed understanding of the issue know that these terms having incredibly different meaning.  The same can be said for words such as stolen and copied.  They are not the same and are often confused, even misused.  And how about this one: the difference between authorized access by an unauthorized user and unauthorized access.  The fine nuance between the two can entirely re-characterize the nature of an attack. Continue reading “Cybersecurity Starts With Basics”

Cyber Hygiene and Government–Industry Cooperation for Better Cybersecurity

Certainly, information collaboration is a key component of any successful cybersecurity initiative effort, and the relationship between industry and government is no exception.

This past month cybersecurity legislation, called Promoting Good Cyber Hygiene Act of 2017, was introduced that would mandate the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and the Department of Homeland Security (DHS) to establish baseline best practices for good cyber hygiene, authentication and cooperation.

Specifically the legislation states that the list of best practices established “shall be published in a clear and concise format and made available prominently on the public websites of the Federal Trade Commission and the Small Business Administration.” It also recommends including “other standard cybersecurity measures to achieve trusted security in the infrastructure.” Continue reading “Cyber Hygiene and Government–Industry Cooperation for Better Cybersecurity”

Ransomware Heists are Only Part of the Board’s Problems

Your job isn’t done by completing vulnerability assessment. You actually have to do something about those vulnerabilities you have found.

It’s 10:00 am Monday morning and management is in the hot seat. The stock has lost 15 points since the opening bell and is going in a downward spiral. The company is being maligned on the news and trolled on social media. Shareholders are demanding to know how the company allowed a breach to happen over the long weekend, exposing 100 million pieces of personally identifiable information. An emergency meeting with all available board members is called for 1:00 pm to discuss the state of affairs and the question, “What do we do now?”

Ready to present, management and IT hastily put together a presentation of what happened. As soon as the presentation starts, the unthinkable occurs: ransomware takes control. Its demands are simple: $50 million in Bitcoins within one hour, or at 2:00 pm the hacker group dumps corporate R&D and emails from the last year into the public domain. There is no way for the company to recover once this information goes public. Continue reading “Ransomware Heists are Only Part of the Board’s Problems”

Four Ways CISOs Can Play a Key Role in Educating Top Leadership About Cyber Risks

“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.” — Donald Rumsfeld, former U.S. Secretary of Defense

Board directors are under pressure to demonstrate effective oversight of cyber risks — something which, admittedly, they know little about. Is there anyone better suited to educate top leadership about cybersecurity than the chief information security officer (CISO)? Perhaps in a decade or two, those in CEO, chief financial officer (CFO) and board director roles will receive enough education and on-the-job experience to have a solid grasp of cyber risks. Continue reading at

Independence Day from Hacking

Unfortunately, professionals in industry and government still think they are not a target. And what is worse is that many of them are still convinced that the means they used to protect their networks five years ago still apply today.

Watching the news and the debates during the past week felt pretty deflating. You must have heard about the entire who knew what when regarding the attempted Russian interference during the election. Much of what was said was fairly well known but with the new drips and drabs of information coming out into the open the past few days, political opportunism was bound to happen.

Despite this expected response, finger-pointing provides no true help to anybody in the world (and if we are being candid, not even within the Beltway). Sure, it is all interesting. And all of this chatter even provides a good spectacle. We even agree there are some serious questions that need to be answered, like who did know what when and why did they do (or not do) something about it. Continue reading “Independence Day from Hacking”

Time to streamline Congressional oversight of DHS

As DHS reauthorization is finally being addressed by Congress, the time is also opportune to consider the streamlining of Congressional oversight over the Department of Homeland Security. Efficient oversight will lead to better morale and more importantly, a better homeland security posture and capability.

The House Homeland Security Committee recently marked up a bill to reauthorize the Department of Homeland Security (DHS) for the first time since its conception in 2002. Chairman Mike McCaul, R-Texas, stated that the reauthorization bill makes “DHS more efficient by consolidating and eliminating unnecessary programs and offices.”

This is an excellent step in reforming the operational structure of DHS as a federal agency. Congress needs to also reform and streamline their own oversight roles over the agency. This outcome now a possibility, as McCaul announced last fall that he will work with his colleagues to reduce the number of committees with jurisdiction over DHS. Continue reading “Time to streamline Congressional oversight of DHS”

IoT Pose A Threat To Anything And Everyone Connected

A pragmatic IoT cyber threat consequences for connected devices, wireless and wired networks. The strategy requires stepping up assessing situational awareness, policies & training, technology integration, information sharing, mitigation capabilities, and cyber resilience. The end goal is to optimize solutions and services and determine what level of security is required for implementation.

Loosely defined, the Internet of Things (IoT) refers to the general idea of things that are readable, recognizable, locatable, addressable, and/or controllable via the Internet. It encompasses devices, sensors, people, data, and machines. As broad as the definition of IoT are the cybersecurity challenges that pose a threat to anything and everyone connected. A well thought out risk-management security posture for the evolving cybersecurity threats to IoT is an imperative. Continue reading “IoT Pose A Threat To Anything And Everyone Connected”

Closing the Awareness Gap Requires a Team Effort

In March 2017, Forbes made the case that the IT skills gap is really more of an awareness gap: “College graduates’ skills are not visible to employers because while they’re leaving colleges and universities with transcripts and resumes, employers aren’t able to see the skills they’ve developed through coursework and co-curricular activities.”

Until academic programs provide current and prospective students with documentation on how their multitude of classes translates into mastery of different skills, students are left trying to connect the dots on their own. But to connect the dots, students must step back and reflect on their lessons and experiences to translate them into skills — quite a challenging task in the midst of an academic term or degree program. Continue reading at

Personal Cyber Health and Hygiene: More Expensive Shoes Don’t Make You Run Faster

Wasting your time and money on the latest fad exercise machine or diet will be just that, a waste of time and money, especially if you are not ready to put yourself through the daily grind. Same goes for cyber tools that promise you a path to the mythical place known as CybersecureLand, a place where you can click on any link without any fear because the magical Fairy Cybermother will protect you and whisk any malicious code back to the depths of Maldorware.

It’s January 2nd and you have just finished your latest culinary blowout from the holiday season.  You look down towards your toes and you see something obstructing your view that wasn’t there just three weeks ago.  And of course, you fear walking towards the scale because you already know it’s going to be bad news.

So what do you do?

Sign up for an expensive gym membership and spend $300 on new training gear of course!

Unfortunately, neither of those will make a difference unless you put your best foot forward and start working your own butt off.  Worse, if you do not put that expensive membership and new gear to good use, you are only a few months (weeks?) away from saying, “I wish I didn’t spend all that money for nothing!”

I fear I am about to upset a few people by stating the following: good cyber health and hygiene is a lot like personal health and weight management.  It takes time, effort, and dedication to keep in top form and it is also very easy to go off the rails if you do not watch what you’re doing.  Furthermore, each time you go off the rails it becomes harder and harder to get back to the good form.  And the only real difference between your health and cyberspace is that you can at least upgrade your device or operating system, whereas when it comes to our personal health, we are stuck with the same body and brain for our entire lives. Continue reading “Personal Cyber Health and Hygiene: More Expensive Shoes Don’t Make You Run Faster”

Explaining Cybersecurity through Cars: Get Yours Inspected or Get It Off the Road

The #CyberAvengers want to make cybersecurity unintimidating. Isn’t it a liberating feeling to know when your mechanic is running a fast one on you? It is. And you do that because you build up your knowledge and are unafraid to say, “why are you trying to get me replace my entire axle when all I need is a control arm?”

We are pointing out the obvious, but the obvious needs to be pointed out these days: How you view the world impacts your decision-making. And equally as important is how you view yourself. Therefore, if you see the world as a relatively benign place and feel for the most part you are well prepared for whatever challenge you will face, it is quite likely you will do little to change your behavior.

But if you view the world as a more hostile place and think of yourself and us as unprepared, chances are you will either wither away into a corner, frightening yourself into hysterical paranoia, or you will do something rational to prepare yourself for whatever challenge comes your way.

Let us start with this basic premise: The internet is inherently vulnerable. It was designed that way because the debate—about 40 plus years ago—focused on open access and free flow of information versus security. The former won, but we are paying the price today. So, if the information highway (the internet) is all banged up and falling apart, it does not matter how safe your car is because the road is still a mess. Continue reading “Explaining Cybersecurity through Cars: Get Yours Inspected or Get It Off the Road”