Cybersecurity Blog: The Cyber Scene is evolving, are you?

As I noted in my earlier blog post, there is growing concern about the cybersecurity risks with the Internet of Things (IoT), particularly their effects on third parties as the recent Mirai botnet attack demonstrated.  At this year’s RSA Conference in San Francisco, IoT cybersecurity was one of the most discussed topics ranging from policy to the latest exploits. I was fortunate to serve on a panel discussing IoT and ransomware in front of a packed room.  While hype is undoubtedly a factor, the massive interest certainly demonstrates the huge market forces at work that are still in their infancy.  As Bruce Schneier noted in his RSAC talk, the social, economic, and safety implications of the Internet of Things means that government regulations are not far behind. In fact, Bruce even advocates for the establishment of a government agency to address it while acknowledging that he currently cannot provide the details for how such an agency would operate, what regulations would be needed, or how such regulations would be enforced. 

Read more

2016 was another challenging year in cybersecurity. With greater awareness among organizations and the general public of the risks, and sizable investments by companies in best-of-breed security technologies, will we see improvements in 2017?

Read more

Lots of people are talking about the “Internet of Things” and what it means to the Internet’s future. Not all of these comments are good.

Consider that Government Computer News (GCN) ran an article titled “The Internet of malware-infected things” discussing body cameras that were found to be infected by the Conficker worm, from the factory. Along the same lines, Federal Computer Week commented “The Internet of Things leaves public and private computer systems essentially indefensible, and no amount of security guidance can provide salvation." In the article NIST fellow Ron Ross commented “You can comply perfectly … and still have a very vulnerable infrastructure because of the complexity.”

Read more

With all the emphasis on cybersecurity frameworks over the last couple years, it probably shouldn’t surprise anyone that a lot of organizations find themselves working off checklists of cybersecurity controls that they assume will give them better security. What is often missed is that these controls need to work together as an integrated system. For thousands of years, we’ve understood this in the realm of physical security. From the most ancient castles, security was built to initially keep intruders from entering using some sort of barrier like a lock or a moat. However, castles were also built with high towers with sentries posted around the clock to see the enemy coming because we knew that simple barriers would never be enough for a determined adversary. Finally, armies were at the ready to repel invaders if the sentries determined that the barriers would not be sufficient. Even today for most basic security for our homes, we understand the difference between a basic control and a security system. If we asked a builder for a security system and his response was that there were locks on the doors, we wouldn’t be satisfied. Most of us know that when we say security system, it means a combination of controls working together. At minimum, we would expect locks, sensors on all exterior doors and first floor windows connected to a central panel with an audio alarm, and the ability to automatically notify a watch center operating at all times that could notify us and/or the police to respond.

Read more

One of the most compelling questions asked today by security operations is, “Can we enable our analysts to make security decisions that will have a positive impact on the overall security posture of our organization?” The short answer is, “Yes. But it’s not easy.”

Read more

Last month I spoke at a cybersecurity forum of public power utilities. Many were fairly small, and for the most part, were subjected to the provisions of the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards that many of their larger brethren have been struggling to comply with. Nonetheless, I was struck by how many were trying to “do the right thing” with respect to cybersecurity. Given their limited budgets, much of that commitment was centered on the efforts of their employees rather than the purchase of expensive technologies. But I was still heartened by that effort when many larger utilities seem to be checking the box. Some of that is an understandable exhaustion from multiple years of intensive scrutiny by NERC CIP auditors and their overseers at the Federal Energy Regulatory Commission (FERC). With the most recent deadline passing last April, it’s not surprising that some utilities may be taking a breather. At the very least, the urgency is less now despite some passing news. For a while we thought that the Russians were hacking Burlington Electric, but that story fizzled, notwithstanding the utility’s laudable efforts to alert the industry to a threat. Potentially more serious were Turkey’s claims that someone in the United States hacked their grid and caused an outage, but weather was the more likely culprit. Finally, it seems we had a sort of a repeat of December 2015's power grid outage in Ukraine; this one being investigated as a cyber attack in Kiev.

Read more

Malicious insiders present real risk to the business. Their inside knowledge and understanding of systems and data make them particularly dangerous, as they are hard to detect and know where the most valuable data resides. Media reports about external threats have thrust cyberattacks into the mainstream, but breaches caused by malicious insiders rarely make headlines. Because insider threats require a top-down approach, executives and boards of directors need education about the threat posed by malicious insiders and how to defend against them. 

Following our webinar with guest speaker Forrester Senior Analyst, Joseph Blankenship, we asked him to address some of the questions from the audience around how security leaders can address insider threats with senior leadership. Below are his responses.

Read more

Insider threats have become a huge problem for organizations around the world – just turn on the news and you’ll see the latest set of compromised companies dealing with the severe consequences of an insider breach – brand damage, lost customers, lost revenue, issuance of regulatory fines, employee safety... and the list goes on and on. 

Read more

Decisions that Make Companies Vulnerable to Insider Attacks

With the steady rise in cyber-attacks, network defense has become a security team’s number one priority. Many organizations have responded by investing heavily in the best tools to protect their information and systems from outsiders. The hard truth is these technologies are not designed to identify, let alone prevent an insider—contractor, employee, or trusted business partner—from taking information or corrupting a system they are authorized to access.

Read more

Enterprise security leaders are faced with a dilemma. Missing just one attack can result in a catastrophic data breach. Forced to defend their enterprise with strained resources, limited intelligence and an excess of security threats, companies need a new approach to cybersecurity that focuses on getting the most out of their available resources.

Following our webinar with guest speaker Forrester Senior Analyst, Joseph Blankenship, we asked him to address some of the questions from the audience around the challenges organizations face as they look to enhance their cybersecurity programs. Below are his responses.

Read more