Five Whys: Lessons From the World of Incident Investigations

“If you do not ask the right question, you will not get the right answer.” — Olivier Serrat, “The Five Whys Technique”

In the 21st century, cybersecurity is paramount to an organization’s survival. Yet many organizations have managed to get by with poor cybersecurity practices, which then only serves to reinforce the illusion that things are under control. Security leaders, C-suite executives and board directors tend to interpret near misses that go uninvestigated as evidence of the organization’s ability to successfully protect or react to security incidents. Continue reading at

Situational Awareness: Beware of Your Cyber Surroundings

For all the solutions out there, make sure you are packing the right material for you because you only have a finite amount of resources. This is what it means to be situationally aware. And this exercise also helps you prioritize what data you value most.

In previous articles on understanding big data, the need for AI, using encryption and tokenization (including the drawbacks of encryption), and the series on human vulnerabilities, we laid down just some of the building blocks necessary to create a robust cybersecurity strategy. Yet there is a larger problem we often experience: losing the trees for the forest. All the tips we have mentioned thus far are great, but only if you are situationally aware of your own challenges.

If you have legal or regulatory compliance issues, such as European Union’s General Data Protection Regulation (GDPR) or Health Insurance Portability and Accountability Act (HIPPA), you have no choice but to follow them. However, neither of us are big fans of standards and certifications for the simple reason that they rarely meet your specific needs in addition to being a costly undertaking in both time and money. This is why we are fans of frameworks, such as NIST Cybersecurity Framework (updated in January 2017) for the exact reason that a framework allows you to meet your own needs. Continue reading “Situational Awareness: Beware of Your Cyber Surroundings”

Fixing the Federal IT Mess Before it is Too Late

You would be amazed how lightbulbs go off over peoples’ heads when we say “think of cybersecurity like this: network security + information security = data security.” Cybersecurity suddenly seems less threatening.

Originally published on May 8th, 2017: Let us take a headcount of recent events: the attack on the Ukraine’s electric grid, a LinkedIn data dump as a result of a 2012 breach, the information warfare campaign surrounding the US Elections, a peculiar “Google Docs” app involved in a massive spear-phishing campaign, and most recently, another information warfare campaign aimed at the French Elections. Do not forget our ”good ole friends” – North Korea, Iran, and Syria, just to mention a few – are well into the cyber game and ready to pounce on the next database which has been left unguarded, unencrypted, and unprepared to thwart an attack.

As the disc jockey says, “and the hits keep on playing!” Continue reading “Fixing the Federal IT Mess Before it is Too Late”

The Human Factor: Technology Changes Faster Than Humans

Furthermore, the mass hysteria over “cybersecurity” now in 2017 requires some context. If one examines the core of the issues we face today, such as networks being inherently vulnerable, they are not all too different from the ones professionals faced in the 1980s, except that many of the past lessons have been ignored and magnitude and complexity of today’s challenges are just that much more overwhelming.

The title of this piece is quite obvious, but it is also an unappreciated fact. Consider for a moment the change we have seen over the last 30 years: access to cyberspace was scarce, often limited to enterprise users such as governments, educational institutions and the largest corporation, whereas today, there are billions of users that treat the Internet as some basic need for living – just like electricity – with access points into this domain continuing to grow. Continue reading “The Human Factor: Technology Changes Faster Than Humans”

Chuck Brooks explains the difference between ICS and IT security

Protecting industrial control systems is a component of the dynamic threat environment and response matrix that constitutes the whole of cybersecurity. IT security is also a broader part of cybersecurity. Because of the vital role of industrial control systems, enhanced security measures, including more isolated networks, multi-layered (software and hardware hardened) defense-in-depth and specialized protocols, are needed to protect these assets.

In an interview with Ludmila Morozova-Buss, Mr. Chuck Brooks – one of the world’s known experts, the industry guru, your future reference for the most competent and comprehensive quest and analysis on cybersecurity, explains what is an industrial cybersecurity control system (ICS) and why it is different than IT security. Continue reading “Chuck Brooks explains the difference between ICS and IT security”

The Human Factor: Cybersecurity’s Forgotten Conversation

Therefore, I would ask you to look at “cybersecurity” through this simple equation as you go through this series: Network Security + Information Security = Data Security. I believe splitting up the problem like this will make a significant difference on how we solve our problems.

In any conflict, humans are impacted. In conflict, the best scenario is that the individual leaves unscathed and perhaps even unaware of what could have been their misfortune, whereas in the worst of cases – such as kinetic warfare – the impact can be the ultimate price: loss of life.

There is also a cruel truth of conflict that often gets looked over: those who survive may be living a hell on earth as they piece together what little they have left to move on. Instead of dying immediately, they may be bled to death over time. Herman Kahn’s book, On Thermonuclear War, in a way, describes such scenarios. Continue reading “The Human Factor: Cybersecurity’s Forgotten Conversation”

Encryption Works Great, But Only When Done Right

Cryptographic systems that are proprietary (those that have not been publicly tested and scrutinized) may very well meet mathematical robustness. The problem is you have no way of knowing, or testing, whether or not the cryptographic system is actually secure unless you have insider information. Therefore, be cautious if somebody is promising you a pot of gold.

In an article we wrote for Tripwire, we discuss the advantages of encryption and tokenization. The premise of our argument is as follows: slow down your adversary by making your data meaningless to them. In other words, make yourself a “goes nowhere” project forcing your adversary to seek out a target that does not cause them the grief you do.

Encryption works precisely because it slows down an actor but it comes with some bad news, as well. Therefore, we wrote this add-on article to explain some of the drawbacks of encryption. Continue reading “Encryption Works Great, But Only When Done Right”

Make Yourself a “Goes Nowhere” Project for Adversaries

Would you invest time and treasure in a “goes nowhere” project? Probably not. You have better things to do. Therefore, take steps – like encryption, tokenization, and data masking – to make your data so meaningless to an adversary that they will consider you a “goes nowhere” project.

Before we jump in, we need to make clear the following: no single solution will ever offer complete and total security. In fact, even multiple solutions designed to provide overlapping layers of security to your crown jewels will not provide “complete and total” security. But what any reasonably implemented solution should do is the following: slow down your adversary by making their job difficult and eventually forcing them to move on to a more easily accessible target (or, more colloquially, go for the low hanging fruit).

Although this fact should be relatively obvious, both of us still experience – more often than we would like to admit – “experts” professing they can provide “total security” because they have the latest and greatest technology. As we indicated in our previous article (making sense of big data), big numbers are, in fact, hard to make sense of by mere mortals like us. In the same fashion, humans are really bad at understanding probabilities (for those who seek greater understanding of the topic, Nassim Nicholas Taleb, author of The Black Swan and Fooled by Randomness, explains the subject well). “Low” probability is in fact quite different from “zero” probability, but we often make the mistake of equating the two (and such a mistake could be perilous). Continue reading “Make Yourself a “Goes Nowhere” Project for Adversaries”

Defining and Addressing the Growing Cyber Insider Threat

Comprehensive risk management should include cyber-hygiene best practices; education/training, use policies and permissions, configuring network access, device management, application controls, and regular network audits. Also, encryption tools, new network mapping, automated rapid detection technologies and behavioral analytic software tools have also been developed that help mitigate the insider threat landscape of morphing digital and physical threats.

The Cyber Insider Threat is one of the most difficult challenges for companies, organizations, and countries. It is often difficult to discover, defend and remediate because such threats can involve a combination of human behavioral elements and hardware and software technologies. Many of the threat actors are tech-savvy and are becoming increasingly sophisticated in their methods of infiltration. What Is Insider Threat – read more

The recent “Vault 7” WikiLeaks download of thousands of pages of sensitive CIA hacking tools and techniques is the latest episode of high profile insider breaches. Other noted examples include Army Pfc Chelsea Manning – 400,000 documents – Iraq War logs, 91,000 documents- Afghanistan database, Edward Snowden – 50,000 to 200,000 NSA documents, Harold Thomas Martin III NSA Contractor- 50,000 gigabytes, about 500 million documents, Home Depot data breach – 56 million credit cards, Yahoo – 1 billion accounts, and Twitter – 32 million accounts. Healthcare – 4 million patient records. Average cost of a data breach in 2016 was $4 million dollars/company (Ponemon). Global business loss in 2014 – $1.7 trillion dollars with 23% annual growth. 2016 losses could be higher than $3 trillion dollars globally (stats courtesy of Mr. Thomas Kupiec – Chief Information Security Officer – SMS and former CISO of the National Geospatial Intelligence Agency) Continue reading “Defining and Addressing the Growing Cyber Insider Threat”

Cyber Resilience Tools and Principles for Boards of Directors

“Cyber resilience in an organization must extend beyond the technical IT domain to the domains of people, culture and processes. A company’s protective strategies and practices should apply to everything the company does — to every process on every level, across departments, units and borders — in order to foster an appropriately security-conscious culture.” – Walter Bohmayr and Alexander Türk, The Boston Consulting Group

The World Economic Forum (WEF) is known for its yearly meetings of the global elite held in Davos, Switzerland, as well as its “Global Risks Report,” which is typically released around the same time. Recently, the WEF has taken on a new role on the global scene and is spearheading a global effort to help organizations become more cyber resilient. In January 2017, the WEF released a report entitled “Advancing Cyber-Resilience: Principles and Tools for Boards.” Continue reading at