What's surprising is the NYC Council members don't want to own the result of their actions in passing the NYC Community Safety Act of 2013. In our Queens District, City Council Member Mark Weprin needs to take ownership for a law he personally shepherded into NYC. He and others have now reintroduced Crime, Disorder and Fear on the streets of NYC. The City Council passed this law against the advice and experience of every level of Law Enforcement in NYC - 500 years of experience. But Mark Weprin and the City Council knew better and now they own the results.
Members of the police department have heard him and others in the City Council loud and clear. Police Officers in NYC will be sued personally, their families, homes and incomes placed in legal jeopardy should someone "feel" their rights have been violated.
As we stated in our campaign for City Council with historic low voter turnout and we'll state again here for the record: those least capable of representing themselves, protecting themselves would be hurt first, the poorest of NYC. It pains me greatly to see the crime stats and headlines come true. But it was a predictable reality.
Now the NYC Council needs to take ownership for a VERY BAD law who only lawyers could draw up under a crafty title of Community Safety Act. Very crafty, very tricky, but it is now a loss leader for all who live in NYC.
Stop, Question and Frisk was not a legal problem in NYC, it was very much a management issue. Now the City Council and Mark Weprin own the result. Yes, I'm pushing it because kids just don't deserve the harshness which City Council members just don't seem to get. I take no pleasure in being right, I am sick over the headlines and predictable results.
Shame on the NYC Council for failing to do the hard work in the first instance and that's hold NYPD to account for training and discipline in oversight and hearings. For failing to talk it out with borough and precinct level commanders. For failing to properly educate the public on the real issues. For the poorer communities of NYC its not about the quality of life, its about surrivial.
The next time you send the kids out to get ice cream remember the little boy in East New York. Think hard about who you vote for, elections have consequences. The security of the people is job one of any elected official. Failure to provide that blanket of security not withstanding all of the problems should be a basis for forfeiture of office.
Sad, very, very sad, I am distressed for the parents who now have to bury their children. Just incredible....and yes very preventable. This isn't a Police Department problem, its a failure of leadership by our elected officials right here in NYC. Hell bent on doing anything they can to get re-elected.
LINKS:
Patrol Borough Brooklyn North
75th Precinct
Wednesday, June 4, 2014
Tuesday, June 3, 2014
Uncertainty, risky first half of 2014...the year of the hack?
Pushing the buttons of millions of individual Americans is the fact that their accounts have been hacked according to Larry Ponemon at the Ponemon Institute in a study conducted for CNN Money. Ponemon's study gaged that 47% of adults had their accounts hacked during 2014, which may soon become known as "the year of the hack". That's just about half of all adults in the United States.
The facinating numbers come at the heals of the Target breach which we have been discussing on this blog and doesn't include the millions in the latest eBay Breach. Its raining on the American Public as millions of (PII) records are exposed. Here are the facts and figures Ponemon and Jose Pagliery of CNN have dug up for CNN Money:
The facinating numbers come at the heals of the Target breach which we have been discussing on this blog and doesn't include the millions in the latest eBay Breach. Its raining on the American Public as millions of (PII) records are exposed. Here are the facts and figures Ponemon and Jose Pagliery of CNN have dug up for CNN Money:
"Cyber attacks are growing so numerous that we're becoming numb to them. Researchers at IT company Unisys (UIS) say we're now experiencing "data-breach fatigue." Even the most recent numbers make for a dizzying list:
- 70 million Target customers' personal information, plus 40 million credit and debit cards
- 33 million Adobe user credentials, plus 3.2 million stolen credit and debit cards
- 4.6 million Snapchat users' account data
- 3 million payment cards used at Michaels
- 1.1 million cards from Neiman Marcus
- "A significant number" of AOL's 120 million account holders
- Potentially all of eBay's 148 million customers' credentials"
More numbing then the facts and figures presented by Ponemon Institute for CNN MONEY is the fact that the industry has not adopted better and well known security practices as a whole. Need I go on? For ten years industry has been digging a hole deep in the sand and sticking their preverbal heads in the hole. See my blog post on accountability.
Let's not blame it on companies looking at profits after all isn't that why companies are in business to begin with. However we too pause, when companies select tactical gains to satisfy quarterly earnings statements and maybe making themselves look good as opposed to the overall strategic growth and health of a company or corporation. Read responsibility to share holders, and company employees. To some extent the risk Vs reward discussion will come up and when presented executives will nervously select profits. Until boards reflect the knowledge, skills and abilities necessary to make both tactical and strategic management decisions we will continue to see the deep decline and clearly the never ending "year of the breach". Operational executives will respond in kind when Boards of Directors begin to ask the thorny questions which should focus on the strategic growth of the company. Employees will then be motivated and hear the clarion call from mount high when the CEO comes back from the board meeting and says they want more security and assurance before we can bring that function on board, who certified that code, who tested it and who is taken ownership of the relationship with the software team?
Here's hoping that the second half of 2014 is the year of Board of Directors active and attuned to what is going on not only in the front office but every office. That function continues to thrive and work closely if not right next to the security team. That multi-factor authentication is used not just for outsiders, but insiders as well. That outside relationships are clearly defined and SLA's (service level agreements) are scoped out to protect both the vendor and the company. That data which can be held in a planet sized computer terminal or a tiny smart phone is protected and preserved because we should all enjoy a level of privacy. That when we buy the state of the art upstream gadget that detects attacks and when alarms go off and people start screaming at the top of their lungs someone will listen and will have been properly trained on the use of the gadget and that it is properly configured. All very hopeful that the year end will be better than the start. The future is now before us. Let's see how we do!
Good luck everyone!
Let's not blame it on companies looking at profits after all isn't that why companies are in business to begin with. However we too pause, when companies select tactical gains to satisfy quarterly earnings statements and maybe making themselves look good as opposed to the overall strategic growth and health of a company or corporation. Read responsibility to share holders, and company employees. To some extent the risk Vs reward discussion will come up and when presented executives will nervously select profits. Until boards reflect the knowledge, skills and abilities necessary to make both tactical and strategic management decisions we will continue to see the deep decline and clearly the never ending "year of the breach". Operational executives will respond in kind when Boards of Directors begin to ask the thorny questions which should focus on the strategic growth of the company. Employees will then be motivated and hear the clarion call from mount high when the CEO comes back from the board meeting and says they want more security and assurance before we can bring that function on board, who certified that code, who tested it and who is taken ownership of the relationship with the software team?
Here's hoping that the second half of 2014 is the year of Board of Directors active and attuned to what is going on not only in the front office but every office. That function continues to thrive and work closely if not right next to the security team. That multi-factor authentication is used not just for outsiders, but insiders as well. That outside relationships are clearly defined and SLA's (service level agreements) are scoped out to protect both the vendor and the company. That data which can be held in a planet sized computer terminal or a tiny smart phone is protected and preserved because we should all enjoy a level of privacy. That when we buy the state of the art upstream gadget that detects attacks and when alarms go off and people start screaming at the top of their lungs someone will listen and will have been properly trained on the use of the gadget and that it is properly configured. All very hopeful that the year end will be better than the start. The future is now before us. Let's see how we do!
Good luck everyone!
Saturday, May 31, 2014
Lessons from the U.S. Veterans Administration
Government run healthcare is suffering from the stiff stench of reality this week as the Veterans Administration emplodes in a wide scale corruption probe in over 46 different facilities - defining systematic corruption which has infected the entire bureaucracy. What can we learn?
Audits tell part of the story and so does strong management which not only holds those accountable but is in fact in trenches leadership. Take a hard look at, "Undercover Boss" and ask yourself if the leadership of the VA had been in the trenches could things have been any different. Clearly the Administrator of the VA was fighting an uphill battle of liars, cheats, and more. But "Undercover Boss" makes the point: get out of the office and get into the trenches for a reality check. Now let's see if our USDOJ follows the Veterans Administration IG's report and starts the most necessary criminal investigations to clean the VA once and for all so that our war heros finally get what they deserve - the best health care known to man.
We talk much in this blog about management and boards of directors. As we should. Organizations depend on these fine men and women to do the impossible, to be supermen and women. But the days of hands off management are long gone. Whether you are in government or the private sector if you haven't gotten that message its high time you did. Get out of the office and learn the reality of what is going on in the workplace.
We heard much this week about out dated technology and "scheduling". We worry, is this a sign of times to come in government run healthcare? Well, those of us in technology know all too well that technology does a backflip and ten steps forward about every 60-90 days. So if you're thinking of saving money and leveraging your entire corporation and/or government run agency on shoestring that has a one time techology budget - in the immortal words from Brooklyn, NY - forget about it.
Technology is in the worst case an infant, with an appetite that rivals most young U.S. Marines in boot camp. Belly up to the table because this infant is going to need your undying attention, your understanding and your coddling every single day of the week. Budgeting and planning for the unexpected are just another great aspect which many who are so quick to adopt technology and outsourcing with an expectation of saving millions may want to slow down and take a deep breath. Technology implementations are expensive and those seeking to cut to shortcuts are only doing a royal disservice to their companies and agencies and fooling themselves. While the passing of timely and accurate information is exciting and used correctly can help you turn on a dime....it comes with a fairly large investment and huge reality check on expectations - but not on the information delivered, but on the intense care and ongoing maintainence to systems, controls and people.
Take a hard look at the Veterans Administration of today and ask yourself Mr/Mrs CEO or Agency head...could this be me? Do I even have a clue? We hope this as in any number of cases we bring to your attention help you focus not just on security but the fundermentals of leadership and management.
If you need a trusted source and friendly but well grounded reality check give us a call. We would like your business, but we're not willing to suffer our reputation just to make a buck.
Audits tell part of the story and so does strong management which not only holds those accountable but is in fact in trenches leadership. Take a hard look at, "Undercover Boss" and ask yourself if the leadership of the VA had been in the trenches could things have been any different. Clearly the Administrator of the VA was fighting an uphill battle of liars, cheats, and more. But "Undercover Boss" makes the point: get out of the office and get into the trenches for a reality check. Now let's see if our USDOJ follows the Veterans Administration IG's report and starts the most necessary criminal investigations to clean the VA once and for all so that our war heros finally get what they deserve - the best health care known to man.
We talk much in this blog about management and boards of directors. As we should. Organizations depend on these fine men and women to do the impossible, to be supermen and women. But the days of hands off management are long gone. Whether you are in government or the private sector if you haven't gotten that message its high time you did. Get out of the office and learn the reality of what is going on in the workplace.
We heard much this week about out dated technology and "scheduling". We worry, is this a sign of times to come in government run healthcare? Well, those of us in technology know all too well that technology does a backflip and ten steps forward about every 60-90 days. So if you're thinking of saving money and leveraging your entire corporation and/or government run agency on shoestring that has a one time techology budget - in the immortal words from Brooklyn, NY - forget about it.
Technology is in the worst case an infant, with an appetite that rivals most young U.S. Marines in boot camp. Belly up to the table because this infant is going to need your undying attention, your understanding and your coddling every single day of the week. Budgeting and planning for the unexpected are just another great aspect which many who are so quick to adopt technology and outsourcing with an expectation of saving millions may want to slow down and take a deep breath. Technology implementations are expensive and those seeking to cut to shortcuts are only doing a royal disservice to their companies and agencies and fooling themselves. While the passing of timely and accurate information is exciting and used correctly can help you turn on a dime....it comes with a fairly large investment and huge reality check on expectations - but not on the information delivered, but on the intense care and ongoing maintainence to systems, controls and people.
Take a hard look at the Veterans Administration of today and ask yourself Mr/Mrs CEO or Agency head...could this be me? Do I even have a clue? We hope this as in any number of cases we bring to your attention help you focus not just on security but the fundermentals of leadership and management.
If you need a trusted source and friendly but well grounded reality check give us a call. We would like your business, but we're not willing to suffer our reputation just to make a buck.
Trust is at the core of Integris Security. We can be counted upon to provide you with the services and intelligence to keep your information, systems and institution secure. Call us and let's get to work on improving your security/risk posture.
Friday, May 30, 2014
Accountablity: Have you heard the call from Target yet?
At some point Industry across America will face a tipping point. A point at which lying to the U.S. Congress, failure to comprehend risk, pointing the finger to someone else just isn't going to cut it. Those in the front office will be held accountable at some point. Enter TARGET.
Leadership Failure:
Have you heard the call from Target yet? Perhaps you should. The CEO - gone. The CISO - gone. The Board of Directors - now facing election could be gone as well. As they should be for failing the stockholders and trustees for the lack of interest, utter malfeasance of office. For bringing incompetenance into the forefront this board and others need to tossed.
http://www.computerworld.com/s/article/9248631/Advisory_firm_urges_ouster_of_majority_of_Target_board_members_over_breach_
IT Certification - a farce and failure?
(ISC)2 code of ethics cannons state:
1. Protect society, the commonwealth, and the infrastructure
- Promote and preserve public trust and confidence in information systems
- Promote the understanding and acceptance of prudent information security measures
- Preserve and strengthen the integrity of the public infrastructure
2. Act honorably, honestly, justly, responsibly and legally
- Tell the truth; make all stakeholders aware of your actions on a timely basis
- Observe all contracts and agreements, express or implied
- Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order
- Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence
- When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you rend your service
3. Provide diligent and competent service to principals
- Preserve the value of their systems, applications and information
- Respect their trust and the privileges that they grant you
- Avoid conflicts of interest or the appearance thereof
- Render only those services for which you are fully competent and qualified
4. Advance and protect the profession
- Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these cannons
- Avoid professional association with those whose practices or reputation might diminish the profession
- Take care not to injure the reputation of other professionals through malice or indifference
- Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others
Can we honestly believe that (ISC)2 is holding its certified membership to account for its own ethics cannons? Is this industry grist mill collecting money and not policing its own people? After ten years of continually failing grades in breaches from every corner of the world one has to ask, is the (ISC)2 operation real, is it accountable?
As industry raced to bring down costs and adopted many Information Technology practices, sought greater input about its clients, its prospects, it internal operations a CISSP or other similarly disignated security professional has been behind the wheel. Are these people being held accountable?
Securing systems is for sure both an art and science and not to be taken lightly. Nor is their a silver bullet or magic wand to wave to make things right. However, CEO's will have to lead, Security will have to be rounded touted by, adopted by, insisted upon by all top management executives. Audits will have to be conducted to constructively explore where the problems are and when found aptly addressed. Function can take place, perhaps a little slower to give the security personnel the opportunity to explain the risk, so that management personnel can bring it into full view for the board of directors. These board of directors then have the full responsibility to guide Chief Executives as well protect shareholders from weak operations. IT systems are difficult, solutions are not always forthcoming. But clearly in breaches for the past ten years industry has failed the public over and over again. With no accountability until maybe now.
Leadership Failure:
Have you heard the call from Target yet? Perhaps you should. The CEO - gone. The CISO - gone. The Board of Directors - now facing election could be gone as well. As they should be for failing the stockholders and trustees for the lack of interest, utter malfeasance of office. For bringing incompetenance into the forefront this board and others need to tossed.
http://www.computerworld.com/s/article/9248631/Advisory_firm_urges_ouster_of_majority_of_Target_board_members_over_breach_
IT Certification - a farce and failure?
(ISC)2 code of ethics cannons state:
1. Protect society, the commonwealth, and the infrastructure
- Promote and preserve public trust and confidence in information systems
- Promote the understanding and acceptance of prudent information security measures
- Preserve and strengthen the integrity of the public infrastructure
2. Act honorably, honestly, justly, responsibly and legally
- Tell the truth; make all stakeholders aware of your actions on a timely basis
- Observe all contracts and agreements, express or implied
- Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order
- Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence
- When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you rend your service
3. Provide diligent and competent service to principals
- Preserve the value of their systems, applications and information
- Respect their trust and the privileges that they grant you
- Avoid conflicts of interest or the appearance thereof
- Render only those services for which you are fully competent and qualified
4. Advance and protect the profession
- Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these cannons
- Avoid professional association with those whose practices or reputation might diminish the profession
- Take care not to injure the reputation of other professionals through malice or indifference
- Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others
Can we honestly believe that (ISC)2 is holding its certified membership to account for its own ethics cannons? Is this industry grist mill collecting money and not policing its own people? After ten years of continually failing grades in breaches from every corner of the world one has to ask, is the (ISC)2 operation real, is it accountable?
As industry raced to bring down costs and adopted many Information Technology practices, sought greater input about its clients, its prospects, it internal operations a CISSP or other similarly disignated security professional has been behind the wheel. Are these people being held accountable?
Securing systems is for sure both an art and science and not to be taken lightly. Nor is their a silver bullet or magic wand to wave to make things right. However, CEO's will have to lead, Security will have to be rounded touted by, adopted by, insisted upon by all top management executives. Audits will have to be conducted to constructively explore where the problems are and when found aptly addressed. Function can take place, perhaps a little slower to give the security personnel the opportunity to explain the risk, so that management personnel can bring it into full view for the board of directors. These board of directors then have the full responsibility to guide Chief Executives as well protect shareholders from weak operations. IT systems are difficult, solutions are not always forthcoming. But clearly in breaches for the past ten years industry has failed the public over and over again. With no accountability until maybe now.
Thursday, May 29, 2014
eBay: How could you?
Step up eBay, the world's largest online marketplace and the next in a line of the Corporations who may have flaunted the very fact they too are capable of security failure. eBay is not just another big box retailer, e-retailer, etc...they personify e-commerce, set the standard and are in every predictable way NOT a brick and motor business gone wild for everything online. eBay is the very house that the internet era caused to be built and was ushered in by the demand for anything, anywhere at any time.
Fast forward to the breach runway from TJ Max, ... Target this year, the runway is littered with one company after the next who mistook market position and financial viability as a surety that they could hide from the reality. One company, one agency after the next has shown that client data is just not secure, not safe and that the path forward is very uncertain.
To be certain, eBay does a great job of protecting applications. Today, on a industry conference call (InfraGard: www.nym-infragard.us) known as the Thursday Call application protection was discussed and general agreement that eBay has done an admirable job in application security. One senior security professional said eBay's problem is simply the M&M syndrome. A very hard outer shell Vs a soft mushy inside. Thus you have very predictable outcomes when separation of duties, multi-factor authentication, scaling privilege to those with a need to know and demanding credentials for insiders which should at the very least match those admitted in from the outside. Ambivalence can not be tolerated when you are in class beyond all others in the online marketplace. eBay now is set to walk the runway of shame, knowing full well all of this could have been avoidable.
As the walk of shame befalls eBay, responsibility will be fixed upon who? The Board of Directors who should have been monitoring the effectiveness of operations, audits, etc....most certainly they deserve the lions share of credit....stockholders beware who you vote for and put on the boards of companies who depend on the online marketplace. Step in the regulators, Connecticut, Florida, etc...UK authorities....eBay just bought itself more lawsuits and official inquiries then it ever would have cost them to to the right thing, the first time.
CEO, COO, CTO, CIO, CFO, CSO, CRO....for sure avoiding the media and taking full responsibility could become downright hostile from the inside. But each of these people owns a part of 145 million records of their clients being exposed. As these creatures of the front office prepare to circle the wagons we must comment on the security staff who's job it is to keep the data secure and the fact that only passwords were encrypted. Thus dates of birth, home addresses and more were left in the open. So how many CISSP's were on staff at Target, TJ Max, others and now eBay? Will their certifications be revolked? What liability will they have in failing to do what they swore they would take care of? Do no harm??
Angry? Perhaps, not because of any one individuals actions or inactions, but for ten years VERIZON has been publishing the DBIR and has listed over and over again the same recommendations. Failure to do X will give you Y. Its not like this is a well kept industry secret and no one knows. Everyone knows. Q1 this year was Target, Q2 this year is eBay, next up?
Before Q3 hits call in a security company and get a health check up. Batten down the hatches and understand the world's wolves are gunning for you. Make no mistake, size doesn't matter.
LINKS:
http://www.cnet.com/news/ebay-to-face-formal-investigations-over-data-breach/
http://www.scmagazine.com/states-probe-ebay-after-breach-affects-all-its-users/article/348422/
http://www.bbc.com/news/technology-27539799
http://www.theregister.co.uk/2014/05/23/ebay_security_breach_investigations/
Fast forward to the breach runway from TJ Max, ... Target this year, the runway is littered with one company after the next who mistook market position and financial viability as a surety that they could hide from the reality. One company, one agency after the next has shown that client data is just not secure, not safe and that the path forward is very uncertain.
To be certain, eBay does a great job of protecting applications. Today, on a industry conference call (InfraGard: www.nym-infragard.us) known as the Thursday Call application protection was discussed and general agreement that eBay has done an admirable job in application security. One senior security professional said eBay's problem is simply the M&M syndrome. A very hard outer shell Vs a soft mushy inside. Thus you have very predictable outcomes when separation of duties, multi-factor authentication, scaling privilege to those with a need to know and demanding credentials for insiders which should at the very least match those admitted in from the outside. Ambivalence can not be tolerated when you are in class beyond all others in the online marketplace. eBay now is set to walk the runway of shame, knowing full well all of this could have been avoidable.
As the walk of shame befalls eBay, responsibility will be fixed upon who? The Board of Directors who should have been monitoring the effectiveness of operations, audits, etc....most certainly they deserve the lions share of credit....stockholders beware who you vote for and put on the boards of companies who depend on the online marketplace. Step in the regulators, Connecticut, Florida, etc...UK authorities....eBay just bought itself more lawsuits and official inquiries then it ever would have cost them to to the right thing, the first time.
CEO, COO, CTO, CIO, CFO, CSO, CRO....for sure avoiding the media and taking full responsibility could become downright hostile from the inside. But each of these people owns a part of 145 million records of their clients being exposed. As these creatures of the front office prepare to circle the wagons we must comment on the security staff who's job it is to keep the data secure and the fact that only passwords were encrypted. Thus dates of birth, home addresses and more were left in the open. So how many CISSP's were on staff at Target, TJ Max, others and now eBay? Will their certifications be revolked? What liability will they have in failing to do what they swore they would take care of? Do no harm??
Angry? Perhaps, not because of any one individuals actions or inactions, but for ten years VERIZON has been publishing the DBIR and has listed over and over again the same recommendations. Failure to do X will give you Y. Its not like this is a well kept industry secret and no one knows. Everyone knows. Q1 this year was Target, Q2 this year is eBay, next up?
Before Q3 hits call in a security company and get a health check up. Batten down the hatches and understand the world's wolves are gunning for you. Make no mistake, size doesn't matter.
LINKS:
http://www.cnet.com/news/ebay-to-face-formal-investigations-over-data-breach/
http://www.scmagazine.com/states-probe-ebay-after-breach-affects-all-its-users/article/348422/
http://www.bbc.com/news/technology-27539799
http://www.theregister.co.uk/2014/05/23/ebay_security_breach_investigations/
Tuesday, May 27, 2014
DBIR 2014 significance?
Hello everyone,
Just a short post on the Verizon Data Breach Investigation Report 2014. Verizon has done an exceptional job at improving the overall content of their report from the volume side of the house and make no exception the report captures client and other added cohort details.
So what pressing in Verizon's 2014 report? Why read it, why bother and what's the significance. The report is chock filled with numerous charts of the garden variety trying to tell the breach story and what some may say is the "same old story". Just more Verizon investigation numbers added to the base.
If you just landed on earth and were concerned about security and then focused in on cyber security you might want to scratch your head. Why? Well, frankly Verizon has been publishing what some say is in theory the same report year over year (different numbers, greater volume, prettier charts, greater diversity) but all in all, the same report.
At the end of the day we turned to the recommendations of the report and find that if we looked back five or ten ago nothing much has changed.
So for 2014 our advice is to look back at the 2009 or 2004 reports and follow the security advice....if for some reason you can't follow the advice, wait another five to ten years and trust me, you'll be hearing the same thing all over again.
For 2014 a ho hum report, pretty cover, nice charts but significance is lost unless your head has been buried in the sand. In that case, its time to wake up - read and follow the recommendations. Here are some classic recommendations, if you see something new and astonishing let me know:
The DBIR is packed with more detailed information and
recommendations. But seven common themes are clear:
• Be vigilant. Organizations often only find out about security
breaches when they get a call from the police or a customer. Log
files and change management systems can give you early warning.
• Be vigilant. Organizations often only find out about security
breaches when they get a call from the police or a customer. Log
files and change management systems can give you early warning.
-
Make your people your first line of defense.Teach staff about the
importance of security, how to spot the signs of an attack, and
what to do when they see something suspicious.
-
Keep data on a‘need to know basis’. Limit access to the systems
staff need to do their jobs. And make sure that you have processes
in place to revoke access when people change role or leave.
-
Patch promptly. Attackers often gain access using the simplest
attack methods, ones that you could guard against simply with a
well-configured IT environment and up-to-date anti-virus.
-
Encrypt sensitive data.Then if data is lost or stolen, it’s much
harder for a criminal to use.
-
Use two-factor authentication. This won’t reduce the risk of
passwords being stolen, but it can limit the damage that can be
done with lost or stolen credentials.
-
Don’t forget physical security. Not all data thefts happen online.
Criminals will tamper with computers or payment terminals or steal boxes of printouts.
Let me know your thoughts, but it seems like nothing much has changed and next years we'll be reading about more breaches.
More reading>>>>>>>
http://www.csoonline.com/article/2157453/data-protection/needed-detection-correction.html
More reading>>>>>>>
http://www.csoonline.com/article/2157453/data-protection/needed-detection-correction.html
Thursday, March 6, 2014
The Russians Are Here...
The Russians Are Here
Estonia, Georgia and now Ukraine...
The Russian are coming, the Russians are coming! As a modern day Paul Revere we're shouting at the tops of our lungs the Russians are coming! But what does all this portend for those in the security and cyber security space?
In the sixties, seventies and so forth we were warned and taught in schools that the Communist were going to take over the world. We were told they would do it without firing one single shot. Given our current technology revolution has this become a more resolute reality? Are we feeding our own eventual demise by participating in this ever interconnected world via the web?
Well, if we look at Estonia, Georgia and now the Ukraine cyber invasions are most definitely front and center of every single world power and nation-state. We invite your comments and observations as Russia leverages Crimean networks, telecom, communications capabilities and the gas pipeline infrastructure which feeds most of Europe and is most undoubtedly connected to SCADA systems.
Those of us in the security space would do well to pay close attention to methods of operation and techniques employed for both offense and defense whether as old as the hills or on the new frontier called the bleeding edge. The global economy is not going away any day soon and we need to understand the threats-scape, our own infrastructure limits and wherein possible the bolstering of defenses to counter those threats as it may lead directly to our bottom line. Testing to acceptable baseline defenses and offenses will only get you so far...conducting exercises for real resilience in the face of a MOST determined adversary is as they say, a horse of a different color.
We at Integris Security are here to help you prepare, test and evaluate your enterprise operations with an eye on: Can you survive in this global economy if your adversary has your company in their crosshairs? Is your staff security aware? Would you know an attack if it started? Are your employees asleep at the switch, anchored in a serpentine bureaucracy or are they war-fighters listening, looking and revealing, reporting and proactively taking action?
Lastly, if sixty thousand security related alarms went off at your company would you roll over and go to sleep or more appropriately "RESPOND", "INVESTIGATE" and "REPORT"?
Here are a few links:
http://www.computerweekly.com/news/2240215674/Ukraine-and-Russia-locked-in-a-cyber-stand-off
http://defensetech.org/2008/08/13/cyber-war-2-0-russia-v-georgia/
http://www.computerweekly.com/news/2240215674/Ukraine-and-Russia-locked-in-a-cyber-stand-off
http://www.bbc.com/news/technology-26447200
http://www.huffingtonpost.com/2014/03/04/ukraine-cyberattack-mobile-phones-russia-parliament-security_n_4895287.html
Estonia, Georgia and now Ukraine...
The Russian are coming, the Russians are coming! As a modern day Paul Revere we're shouting at the tops of our lungs the Russians are coming! But what does all this portend for those in the security and cyber security space?
In the sixties, seventies and so forth we were warned and taught in schools that the Communist were going to take over the world. We were told they would do it without firing one single shot. Given our current technology revolution has this become a more resolute reality? Are we feeding our own eventual demise by participating in this ever interconnected world via the web?
Well, if we look at Estonia, Georgia and now the Ukraine cyber invasions are most definitely front and center of every single world power and nation-state. We invite your comments and observations as Russia leverages Crimean networks, telecom, communications capabilities and the gas pipeline infrastructure which feeds most of Europe and is most undoubtedly connected to SCADA systems.
Those of us in the security space would do well to pay close attention to methods of operation and techniques employed for both offense and defense whether as old as the hills or on the new frontier called the bleeding edge. The global economy is not going away any day soon and we need to understand the threats-scape, our own infrastructure limits and wherein possible the bolstering of defenses to counter those threats as it may lead directly to our bottom line. Testing to acceptable baseline defenses and offenses will only get you so far...conducting exercises for real resilience in the face of a MOST determined adversary is as they say, a horse of a different color.
We at Integris Security are here to help you prepare, test and evaluate your enterprise operations with an eye on: Can you survive in this global economy if your adversary has your company in their crosshairs? Is your staff security aware? Would you know an attack if it started? Are your employees asleep at the switch, anchored in a serpentine bureaucracy or are they war-fighters listening, looking and revealing, reporting and proactively taking action?
Lastly, if sixty thousand security related alarms went off at your company would you roll over and go to sleep or more appropriately "RESPOND", "INVESTIGATE" and "REPORT"?
Here are a few links:
http://www.computerweekly.com/news/2240215674/Ukraine-and-Russia-locked-in-a-cyber-stand-off
http://defensetech.org/2008/08/13/cyber-war-2-0-russia-v-georgia/
http://www.computerweekly.com/news/2240215674/Ukraine-and-Russia-locked-in-a-cyber-stand-off
http://www.bbc.com/news/technology-26447200
http://www.huffingtonpost.com/2014/03/04/ukraine-cyberattack-mobile-phones-russia-parliament-security_n_4895287.html
|
Subscribe to:
Posts (Atom)