Encourage Your Leaders to Not be the Next Data Breach

The more we learn about the Equifax Data Breach the more concerning the entire situation has become.  There have been reports that an online portal allowed access with the username/password combination of admin/admin.  Now there are reports the Apache Struts web Application Framework way have gone unpatched since CVE-2017-5638 was disclosed and Fixed by Apache on March 6th.  

     I expect news on this breach to surface over time and will probably last for months.  The related lawsuits will last for years, especially with the allegations of stock trading right before the public announcement of the breach.  While this story is bad news for millions of people, I hope stories like this "Encourage" senior leaders at companies that the risks of a breach are very real and they don't want to be the next Equifax.  

5 Problems That Keep CISOs Awake at Night

This is a really nice list to help those of us in CyberSecurity.  

  1. Not everyone can hire a cyber unicorn. Globally, 70% of employers plan to increase the size of their cybersecurity staff this year. Not only is there a lack of cybersecurity professionals to meet this skyrocketing demand, but there are even fewer of what I call "unicorns" — security experts who understand networks and know how to protect them. Cybersecurity unicorns are curious analysts who have experience with protecting network perimeters, scripting, and identifying endpoints. Organizations can't afford a full security detail to cover these skills, which is why we will likely see more of them opting to outsource security operations in the near future. [Editor's note: Raytheon is one of many companies that offer such services.] Cybersecurity service teams can be located anywhere and dedicate the necessary time and skills to both react to attacks and proactively hunt for them to ensure organizations remain operational and secure.
  2. The Dark Web never sleeps. The Dark Web is a breeding ground for cybercrimes and hosts all types of tools required to execute them, including malware for purchase and cybercrime services, so that criminals don't even need to be technical experts to launch a major attack. As the Internet becomes an open field for predators, organizations must hunt around the clock. The average mean time to detection of threats already on a network is around 200 days. That time — when hackers are able to steal data or damage the network — can be dramatically reduced by proactive threat hunting. This involves monitoring normal and abnormal network traffic patterns to identify threats before they become damaging.
     
  3. Checking the compliance box doesn't stop the breach. When it comes to managing data and hiring or outsourcing talent, many companies face budget constraints that stem from compliance. Businesses must be compliant, but compliance and security are not interchangeable when it comes to cyber attacks. Compliance is critical but shouldn't be confused with security. The Defense Federal Acquisition Regulation Supplement, for example, requires organizations to have a firewall for segmentation and logging policies. While a firewall limits access and logging provides insight on network incidents, these are only tools. Without trained people to look at the threats and act on them, there isn't enough protection. Organizations must conduct a thorough security assessment, identify existing threats and the riskiest users, prioritize security measures, and implement and test an incident response plan. Compliance often falls into place when it's the final consideration and not just a top budget item.   
     
  4. Reputation is on the line. Just as most travelers in the past never casually chatted about a phishing scam, board members didn't dabble in cybersecurity concerns. Today, it's a different story. There is a tremendous fear of a cyber attack severely damaging brand image and the bottom line. Organizations have a fiduciary responsibility to protect their customers' data, but cyber attacks threaten this stewardship. In healthcare, an industry with mountains of sensitive personal data, breaches by hackers affected 15.2 million Americans last year. Beyond data loss, the loss of intellectual property could further cripple organizations. To maintain the confidence of shareholders and customers, organizations must align their brand with one of security — and make sure they can back it up.
     
  5. When everything is connected, security is everything. Our businesses are more exposed to unseen risk than ever before from employee devices, automated manufacturing, the global supply chain, and the Internet of Things. The cyber attacks that are not visible by just looking at your own networks could cause harm to information and operational technology. Now a heating and air conditioning system could be the conduit through which nation-states attack each other. A gas turbine or nuclear facility could be a tool to harm more than just systems and put human safety at risk. So, companies need to provide cybersecurity for more than just their networks. They must embed cybersecurity into their products and services, into their supply chains, and into their partnerships.

https://www.darkreading.com/endpoint/5-problems-that-keep-cisos-awake-at-night/a/d-id/1329854?

20 Questions to Help Achieve Security Program Goals

 

This is a really great list (from Dark Reading) of questions to focus on when attempting to keep your security programs on track.  

  1. Do we have a focused and well-defined list of risks to the business? No matter how good we are, if we start off without any focus, it will be very hard to achieve successful and timely results.
  2. Do we derive our goals and priorities from the risks we're most interested in mitigating?  It's hard enough to deliver results on time for things that we need to do, never mind things that don't address any of the risks we’re most concerned about.
  3. Do we regularly assess where we may have gaps in our security architecture? This can be another great way to identify where it makes sense to invest time and money in projects. No sense in investing in something that you've already addressed at the expense of something else that sorely needs addressing.
  4. Do we follow the Pareto principle (80/20 rule)? The Pareto principle states that "for many events, roughly 80% of the effects come from 20% of the causes." In the security world, that means that we can typically achieve 80% of the desired results with 20% of the effort. For organizations that are resource-constrained, this is something to think seriously about.
  5. Do we have talented leaders who can shepherd and manage projects through to successful completion?
  6. Do we have talented people who can execute our plans to bring them through to successful implementation?
  7. Do we understand that we cannot do everything? We need to choose our battles wisely to ensure that we do not waste resources on items that may need to take a lower priority.
  8. Do we remember to set aside budget for the most important things? Not everything can be a priority.
  9. Do we remember to include operation and maintenance costs when budgeting? Not doing so puts all of our goals at risk, since people who were meant to be working on different goals will get dragged into O&M.
  10. Are we properly managing the signal-to-noise ratio? Wasting time on false positives is not going to help us achieve our goals in a timely manner.
  11. Are we working to keep shiny-object syndrome at bay? Sometimes management, executives, and the board can get caught up in all the hype and hysteria around the issue du jour. This can pull valuable resources away from long-term goals. Working from a risk register can help organizations manage the hype and hysteria.
  12. Are we focused on what will have an impact and mitigate risk? It is all too easy to get distracted.
  13. Are we managing a continuous dialogue with management, the board, executives, and other stakeholders? This can build confidence and demonstrate movement toward goals in a strategic and calculated manner. That, in turn, can buy fewer distractions and interruptions.
  14. Are we reporting relative metrics, rather than absolute metrics that provide no value for management, executives, and the board? For example, reporting on progress mitigating a $5 million potential loss, rather than reporting the number of alerts that fired in a given week.
  15. Are we showing our progress toward mitigating the risks that we've committed to mitigating? This means reporting progress in terms that are understood by non-security types.
  16. Are we reinventing the wheel? Our field has lots of talented people. If someone has already done something that we can leverage, we can save a lot of time and effort.
  17. Are we staying realistic? We can't all be a 100,000-employee financial company, and we shouldn't approach security as if we are.
  18. Are we working with the right partners? Often, those who specialize in addressing certain challenges can help us achieve our goals more quickly.
  19. Are we continually assessing our security posture and evaluating progress against our goals? It would be a shame to charge ahead 6 to 12 months in a given direction only to find out that it didn't bring us any closer to achieving our goals.
  20. Are we continually assessing our goals against the evolving security environment to ensure they are still the right goals? How disappointing to achieve a goal, only to find out that it wasn't really the right goal to achieve.

https://www.darkreading.com/operations/20-questions-to-help-achieve-security-program-goals-/a/d-id/1329853?