September 15, 2016

If an Infosec policy falls in the forest

If you don’t have a proper governance structure in place it can cause you some angst. As an example, how can you remove an employee who is surfing porn on the Internet if you have no framework in place to deal with such an action? That is the simplest example that comes to mind. To spin it differently, there was a shop that I worked for at which I was told that I could not use a certain piece of software. It was a fairly benign software application so, I couldn’t help but to ask why. Now, bearing in mind I had no argument with being told no. I was just interested in knowing what the rationale was for that decision. The answer I received was, “because $group said no."


Chief Data Officer Barney Krucoff Drives Washington, D.C.’s Data Strategy

My impression is that D.C. has a tremendous technology infrastructure. We are more unified in our technology than many large cities or states. There’s a city-owned network backbone that connects us all, and there’s a centralized security team, so not everybody’s got their own firewall group and you’re not necessarily negotiating that across multiple agencies. The IT department is fairly operational, not just a policy shop. We run all the email, we run many applications, we run the centralized web team. So there’s a lot of infrastructure in D.C., and there’s a reasonable amount of resources for the amount of government we have. We weren’t necessarily as efficient as we’d like to be, and I think that’s part of my job, to try to align these pieces.


How can we address the Insecurity of Things?

“With IoT, it's only a question of time that with regards to privacy and physical security issues, governments will have to enforce regulations and standards,” said Sayag. “It's a two way process. One is from the regulatory authorities, to come up with really strong steps, to encourage development of security of IoT nodes and devices; and on the side of users, they should be more aware of the kind of things that can be hacked,” said Chattopadhyay. “I think we are too passive about these new challenges, we think that they will be sorted out by themselves, maybe by market forces. We should work faster, and we should encourage more innovative technologies and products with built-in security in mind. That is something the security community, researchers and the industry, should consider right now. I think this is a problem we should solve altogether,” emphasized Sayag.


Security Think Tank: Brexit – An opportunity for infosec pros to take the lead

The main negative point is the uncertainty, but as the EU will deny access to its marketplaces to any company not up to code, certainty comes back into the picture again as we realise the regulations have to be implemented anyway. Not quite incidentally, when considering international data regulations in this context, those responsible in a risk and compliance role should keep keen eyes on the progression of the Safe Harbour and Privacy Shield saga in the Irish courts. Opting for private model contracts to cover international data exchanges in the absence of Safe Harbour is a legally uncertain decision, and their use could cause major international disruption if ruled inadequate.


8 Culture Change Secrets Most Leaders Don’t Understand

Results will actually precede the cultural change. This important insight runs counter to arguments from some leaders that think they don’t have time for culture since they need results now and culture change takes a long time. Focusing the work on a top mission or performance priority will actually increase the likelihood of seeing results in a meaningful area AND supporting the targeted cultural shift. Behaviors that lead to positive results will spread. Schein said these behaviors will not be spreading because employees were “told to” but because “they work”. I love his explanation: “if it’s successful, and people like it, and it becomes a norm then you can say it’s become a culture change.” So, what’s a norm? That question brings us to our next secret.


Cybersecurity Is Every Executive’s Job

While the CISO will identify risks and prioritize security protocols, it is incumbent on senior executives to understand and carry out the procedures across the business — to the most-vulnerable points of entry for cyber criminals. Executives must sponsor the CISO’s threat assessments and review the results together. The CISO should be included on new business initiatives early on so that security is baked in rather than bolted on afterward. In fact, the best practice is to have the CISO work with each team to determine ways to reach goals in the most secure fashion, and then executives must hold their people accountable for risks and flaws identified by the CISO. What’s more, executives should help promote the importance of security within the organization, starting with better education and training.


Cyber risk in financial firms is a key concern – Central Bank Guidance

The Central Bank’s concerns are being driven by the potential impact of inadequate cybersecurity controls on the firms themselves, their customers and the risks for financial stability. Given that Information technology is now at the heart of the supply of financial services and that the incidence of cyber-attacks and business interruptions is on the increase, the Central Bank is saying that firms should assume that they will be successfully targeted. Its view is that the security and resilience of IT systems, their governance and management must improve to reflect this reality. ... The Central Bank is demanding increased effectiveness in this area. We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas.


Emerging technologies are poking holes in security

Automation affects change management and security because there may not be an understanding of how to support the new information security requirements of automation as change occurs. This can make the enterprise susceptible to intrusion and unable to adequately respond when disaster recovery plans must execute, Davison says. As for information technology service partnering, when partner employees don’t follow the enterprise change management process, information security risks rise, says Walker. In cloud computing environments, simply adding errors in the process of coordinating change among different cloud environments to the already precarious task of implementing federated security across these clouds can add significant risk.


Commodities may be a sweet spot for blockchain

Over-the-counter commodity derivatives are another potential sweet spot for blockchain. Banks such as Barclays have explored the use of smart contracts for interest rate and equity derivatives. They might consider trying them out in OTC commodity derivatives, which are largely not yet subject to regulatory central clearing mandates. The lack of potential resistance from clearing houses, as well as the smaller size of the markets overall, might make it easier to roll out smart contracts in OTC commodities than in other asset classes. Some might question whether commodities – the oldest asset class around – will really be the sector where blockchain takes off. I would advise such sceptics to look at a little company called Ice.


FTC focuses on combating ransomware

"The spate of ransomware incidents are escalating at an alarming rate," Ramirez says, citing an estimate from the Department of Justice that incidents of ransomware, now averaging some 4,000 a day, have increased 300 percent in the past year. "The financial motivation for ransomware attacks suggests that the threat is unlikely to go away any time soon," she says, warning businesses to step up their own defenses to ensure that they are protecting their users from online scammers. The agency has already brought dozens of enforcement actions against companies for failing to adopt what it considers reasonable security protections. Ramirez and some industry experts see ransomware as the latest evolution of malware, but with a notable twist.



Quote for the day:


"If you can't laugh at yourself life is going to seem a whole lot longer than you'd like." -- Sam, Garden State