Category: Security

Gartner: Top Six Security and Risk Management Trends

As business leaders become increasingly conscious of the impact cybersecurity can have on business outcomes, they should harness increased support and take advantage of six emerging trends (listed below) to improve their enterprise’s resilience and elevate their own standing, according to Gartner, Inc.

  1. Senior business executives are finally becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation. “Business leaders and senior stakeholders at last appreciate security as much more than just tactical, technical stuff done by overly serious, unsmiling types in the company basement,” says Peter Firstbrook, research vice president at Gartner. “Security organizations must capitalize on this trend by working closer with business leadership and clearly linking security issues with business initiatives that could be affected.”
  2. Legal and regulatory mandates on data protection practices are impacting digital business plans and demanding increased emphasis on data liabilities. “It’s no surprise that, as the value of data has increased, the number of breaches has risen too,” says Firstbrook. “In this new reality, full data management programs — not just compliance — are essential, as is fully understanding the potential liabilities involved in handling data.”
  3. Security products are rapidly exploiting cloud delivery to provide more agile solutions.“Avoid making outdated investment decisions,” advises Firstbrook. “Seek out providers that propose cloud-first services, that have solid data management and machine learning (ML) competency, and that can protect your data at least as well as you can.”
  4. Machine learning is providing value in simple tasks and elevating suspicious events for human analysis. Gartner predicts that by 2025, machine learning will be a normal part of security solutions and w3ill offset ever-increasing skills and staffing shortages. But buyer beware, says Firstbrook: “Look at how ML can address narrow and well-defined problem sets, such as classifying executable files, and be careful not to be suckered by hype. Unless a vendor can explain in clear terms how its ML implementation enables its product to outperform competitors or previous approaches, it’s very difficult to unpack marketing from good ML.”
  5. Security buying decisions are increasingly based on geopolitical factors along with traditional buying considerations. Increasing levels of cyber warfare, cyber political interference and government demands for backdoor access to software and services have resulted in new geopolitical risks in software and infrastructure buying decisions, Gartner says. “It’s vital to account for the geopolitical considerations of partners, suppliers and jurisdictions that are vital to your organization,” says Firstbrook. “Include supply chain source questions in RFIs, RFPs and contracts”  […] Read more »

 

 

65 Percent of Organizations Believe IoT Increases OT Security Risks

According to Kaspersky Labs State of Industrial Cybersecurity 2018 survey, 65% of organizations globally believe that operational technology (OT) or Industrial Control Systems (ICS) risks are more likely with the Internet of Things (IoT). Over the next year, 53% say that realizing IoT use cases and managing connected devices is a major priority.

As OT and IT converge, organizations can use IoT devices to boost the efficiency of industrial processes, but these devices and processes also present new risks and points of vulnerabilities. Industrial organizations surveyed feel unsafe, with 77% of respondents saying their organization is likely to become the target of a cybersecurity incident involving their industrial control networks.

Of the concerns related to IoT, 54% of respondents claim that the increased risks associated with connectivity and IoT integration are a major cybersecurity challenge, as well as new types of IoT security measures that need to be implemented (50%) and implementation of IoT use cases (45%).

According to Kaspersky Labs, companies relying on ICS are falling victim to conventional threats, including malware and ransomware. Almost two-thirds of companies experienced at least one conventional malware or virus attack on their ICS in the last year, 30% suffered a ransomware attack, and 27% had their ICS breached due to the errors and actions of employees.

Targeted attacks affecting the industrial sector accounted for only 16% in 2018 (down from 36% in 2017)  […] Read more »

 

 

Las Vegas Most Insecure Cyber City in US

A new study, Cybersecurity in the City: Ranking America’s Most Insecure Metros, has identified Las Vegas, Memphis and Charlotte as America’s most cyber insecure cities.

America’s Most Insecure Metros

10. Tampa – St. Petersburg
9. Orlando – Daytona Beach
8. West Palm Beach – Ft. Pierce
7. Jacksonville
6. Birmingham
5. Providence
4. Houston
3. Charlotte
2. Memphis
1. Las Vegas

America’s Least Vulnerable Metros

5. St. Louis
4. Seattle – Tacoma
3. Norfolk-Portsmouth-Newport News
2. Greensboro – Winston Salem
1. Richmond

“The Cybersecurity in the City: Ranking America’s Most Insecure Metros report emphasizes just how expansive both the vulnerability and threat landscapes have gotten in the U.S.,” said Guy Moskowitz, founder & CEO, Coronet. “While big companies may have the budgets, personnel and resources to protect their assets reasonably well, mid-market and small businesses are mostly left to fend for themselves. This is both unfortunate and a recipe for disaster” […] Read more »

 

GDPR: Will Your Company Be Fine or Fined?

Mayday, mayday” is a standard international distress signal. With the European Union’s General Data Protection Regulation (GDPR) going live on May 25, 2018, the phrase seems particularly apt.

What is the GDPR? Weighing in at over 50,000 words, the GDPR revises a decades-old EU privacy directive that harkens back to 1995, a time when there was more postal mail than email. The GDPR restricts how organizations can collect, use and retain personal data, and provides Europeans with certain rights to halt collection, and to obtain copies, correction and, at times, destruction of their data.

How does it impact U.S. businesses? The EU seeks to apply the GDPR to all companies regardless of location if they collect personal data from individuals in the EU, such as through websites targeting EU consumers with goods or services (whether paid or unpaid), or by monitoring the behavior of people in the EU. The GDPR also applies to vendors (and corporate partners and affiliates) who end up storing, transferring, processing or using EU personal data even though another company initially collected it.

What are the Cybersecurity Requirements? Companies must implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”  Doing so requires an organization to evaluate “the state of the art” of security; the costs of implementation; the nature, scope, context and purposes of processing the personal data; and the risks to individual rights and freedoms. Data protection must be implemented “by design and by default.”

Are there breach notification requirements? Yes. If a data breach is likely to result in “a risk” to an individual’s rights and freedoms, the company must notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. When the breach is likely to result in a “high risk” to rights and freedoms, notifications also must be made without undue delay to the affected individuals.

Can we get ready in a few weeks? It is unlikely. The EU gave companies two years. Still, achieving compliance may be more straightforward for organizations that do not collect sensitive categories of personal data (race, ethnicity, health, sex life, sexual orientation, criminal history, trade union membership, political/religious/philosophical beliefs, genetics or biometrics) and whose activities are unlikely to result in high risks to individual rights and freedoms (such as through large-scale data processing, new technologies or systematic monitoring, profiling and automated decision-making) […] Read more »

 

 

Security Budgets Increasing, But Qualified Cybertalent Remains Hard to Find

The worldwide cybersecurity skills gap continues to present a significant challenge, with 59 percent of information security professionals reporting unfilled cyber/information security positions within their organization, according to ISACA’s cybersecurity workforce research.

According to the report,

  • High likelihood of cyberattack continues. Four in five security professionals (81 percent) surveyed indicated that their enterprise is likely or very likely to experience a cyberattack this year, while 50 percent of respondents indicate that their organization has already experienced an increase in attacks over the previous 12 months.;
  • Nearly 1 in 3 organizations (31 percent) say their board has not adequately prioritized enterprise security.
  • Men tend to think women have equal career advancement in security, while women say that’s not the case. A 31-point perception gap exists between male and female respondents, with 82 percent of male respondents saying men and women are offered the same opportunities for career advancement in cybersecurity, compared to just 51 percent of female respondents. Of those surveyed, about half (51 percent) of respondents report having diversity programs in place to support women cybersecurity professionals.
  • Individual contributors with strong technical skills continue to be in high demand and short supply. More than 7 in 10 respondents say their organizations are seeking this kind of candidate.

Yet, there are several positive and promising insights in the ISACA data:

  • Time to fill open cybersecurity positions has decreased slightly. This year, 54 percent of respondents say filling open positions takes at least three months, compared to last year’s 62 percent.
  • Gender disparity exists but can be mitigated through effective diversity programs.Diversity programs clearly have an impact. In organizations that have one, men and women are much more likely to agree that men and women have the same career advancement opportunities. Eighty-seven percent of men say they have the same opportunities, as compared to 77 percent of women. While a perception gap remains, it is significantly smaller than the 37-point gap among men and women in organizations without diversity programs (73 percent of men in organizations without diversity programs say advancement opportunities are equal, compared to 36 percent of women).
  • Security managers are seeing a slight improvement in number of qualified candidates.Last year, 37 percent of security professionals said fewer than 25 percent of candidates for security positions were sufficiently qualified. This year, that number dropped to 30 percent.
  • Budgets are increasing. Sixty-four percent of respondents indicate that security budgets will increase this year, compared to 50 percent last year […] Read more »

 

 

Rethinking Identity Management in the Gig Economy

For years, the “consumerization” of IT has referred to the practice of employees conducting workplace activities on their personal smartphones and tablets, or using consumer services like Gmail or social media for work purposes. However, the “gig economy” is about to consumerize the workplace to new levels, bringing changes that will significantly impact how CSOs and CISOs protect their businesses.

When large parts of the workforce or even entire staffs are made up of independent contractors, it’s not just devices or services that are being brought onto the corporate network from outside of IT’s purview. These “permalancers” will be operating as complete outsiders to the corporate infrastructure, so to speak, which will test the boundaries of current IT-department protocols. IT will have to think beyond established bring-your-own-device (BYOD) practices; companies relying so heavily on freelancers now need to construct new “bring-your-own-identity” policies that will enable these workers to move freely and safely about the network, while keeping company infrastructure protected.

Traditional IAM Falls Short in Managing Non-Traditional Workforces

Traditional identity and access management (IAM) systems were not architected to manage a large number of workers of this type. IT is used to managing, at most, tens of thousands of employees who are known to the company – users with corporate accounts that the department can assume are trustworthy because they’re operating on closed corporate networks and behind the company firewall.

Now, these freelancers and independent contractors more often than not use their own personal accounts to access company resources, potentially from unsecure locations, such as a coffee shop’s open public WiFi connection. There is a good chance they also work for other companies – maybe even competitors – and their gig might just last a few weeks or the duration of one project.

Workers Are Starting to Look Like Customers

In other words, workers are starting to look more like consumers, in part due to this increased reliance on contracted workers. As such, CSOs and CISOs need to start addressing the security needs of these workers accordingly. Consider marketing writers using their own accounts to upload or edit documents onto shared drives, or freelance programmers checking code into the company’s source code repository. They have created their own accounts, and their identities could be established by a variety of single sign-on providers. Plus, they are authenticated against public services like OpenID and social media. Managing worker access in this environment is much more complex than it is behind the VPN and firewall where HR or IT is simply charged with filling in key profile data for company-created identities, and authenticating users against internal directory services […] Read more »

 

 

The Quantum Computing Revolution

“Only six electronic digital computers would be required to satisfy the computing needs of the entire United States.” A prediction made by Howard Aiken in 1947 which on hindsight, we can all agree on has not turned out to be very prophetic. The need for processing power has continuously been on the rise and for the most part, the need has been catered through an unparalleled evolution of chip technology as forecasted by Moore’s Law. Moore’s Law states that the number of components that can fit on a computer chip will double roughly every two years, which in turn will improve the processing capabilities of computer chips. The law which is more of an observation rather than a physical law has held true over the decades and has seen digital computers which originally took up entire rooms reduced to being carried around in our very own pockets. But with components reaching atomic scales, and more and more money being fueled in to make chips smaller and faster, it has now come to a point where we cannot count on chip technology to advance as predicted by Moore’s Law. Hence, alternatives are being pursued and developments are being made which has given rise to the idea of quantum computing.

The traditional computer at its very core performs simple arithmetic operations on numbers stored in its memory. The key is the speed at which this is done, which allows computers to string these operations together to perform more complex things. But as the complexity of the problem increases, so does the number of operations that is required to reach a solution; And in this present day and age, some specific problems that we need to solve, far surpasses the computing capabilities of the modern computer. This, however, has also been used to our advantage, as modern cryptography which is at the core of cyber-security, relies on the fact that brute forcing complex mathematical problems is a practical impossibility.

Quantum computers, in theory, do things differently. Information is represented in physical states that are so small that they obey the laws of Quantum Mechanics. This information is stored in quantum bits known as qubits rather than the traditional binary bits used in conventional computers. Quantum Mechanics allows a qubit to store a probability of its value as either a 0 or 1 with the exact value of the qubit unknown until it is measured. Without getting too technical, this allows a quantum computer to contain several states at the same time, giving it the potential to be millions of times faster at solving certain problems than classical computers. This staggering computational power, in theory, could be used to render modern cryptography obsolete.

Modern cryptography relies on complex mathematical problems that would take computers hundreds, thousands or even millions of years to solve. This practical limitation is what keeps our cryptography based security systems secure. But with quantum computers, it is theoretically possible that these solutions could be reached in days or even hours, posing a massive vulnerability threat to our current encryption. If cryptography collapses, so will all our security.

But a quantum world is not all doom and gloom. Active research is already being done on quantum safe algorithms that can replace current algorithms that are under threat from the capabilities of a quantum computer. Theoretically, these quantum safe algorithms could prove to be more secure than anything we currently know of. Another area where quantum computing is likely to shine is in Big Data. With cross industry adoption of new technologies, the world is transforming itself into a digital age. This is sure to pose new problems well beyond the capabilities of modern computers as the complexity and the size of data keeps increasing. The challenge lies in converting real-world problems into a quantum language, but if that is accomplished, in quantum computing we will have a whole new computational system to tackle these problems.

It is important to realize that quantum computing is still in its infancy and almost all of the hype surrounding it is theoretical. But it is clear that the technology promises a revolution in computing, unlike anything we have seen before. It is also important to understand that quantum computers are not a replacement to the classical computer; Rather, it is specialized at solving a particular set of problems that are beyond the powers of a modern computer. This opens up a vast avenue of possibilities for quantum computing. The traditional computer will still have its place but with the world moving more and more towards a data-driven future, expect quantum computers to play a vital role in the future of technology.

 

Cybersecurity Partnerships: A New Era of Public-Private Collaboration

It is generally understood that the public and private sectors need to collaborate to address the nation’s cybersecurity challenges, yet there remain significant questions regarding the circumstances, nature, and scope of those relationships. Legal, strategic, and pragmatic obstacles often impede effective public-private sector cooperation, which are compounded by regulatory and civil liability risks. Different government agencies have competing roles and interests, with the government serving dual roles as both partner and enforcer, influencing how companies facing cyber threats view public authority. These domestic cybersecurity challenges are complicated further by cross- border issues, including inconsistent laws and perspectives regarding, in particular, privacy norms and restrictions, data transferability, and divergent political interests in combating cyber threats.

A welter of issues involving technology, business, law, and policy affect the strategic cybersecurity relationship between the government and the private sector. And many of those issues are evolving and unclear. Because cybersecurity’s challenges are multifaceted, traditional modalities of interaction between government and private sector— between regulators and regulated—do not always capture the nuanced ways in which the nature of the cybersecurity challenge has fundamentally altered these relationships.

In an effort to better understand and, hopefully, help address the challenges of institutionalizing effective cooperation, this paper will explore four key areas that should be clarified as a necessary step in adopting a strategic approach to cybersecurity:

  1. Why is cybersecurity different from other threats, and why is public/private collaboration uniquely valuable to address cybersecurity challenges?
  2. What barriers—including, for example, the evolving regulatory and civil litigation landscape, and cross-border challenges—impede e ective cybersecurity collaboration, and themselves generate additional layers of uncertainty and cost for institutional victims of cyber attacks?
  3. In light of those barriers, and available private-sector resources, should companies focus on self-help for addressing cybersecurity issues? When and to what extent can companies more effectively combat cyber threats without government assistance?
  4. What methods of public-private sector collaboration have been more successful than the traditional models of governance, and what roles can, and should, different parts of the government play in a comprehensive cybersecurity strategy?

While the problems are difficult, the answers may, in some respects, be astounding in their simplicity—solutions grounded in basic principles of organizational communication, teamwork, trust and relationship building, accountability, and foresight to prepare for and invest in mitigating risk before disaster strikes. These approaches are critically important and readily attainable, for those within industry and government who are willing to invest time, thought, and resources proactively, to avoid the far greater costs of an ill-prepared cyber response strategy.

Yet, in other ways, the challenges to effective cybersecurity solutions are confounding. The technology is often complex and constantly evolving, the vulnerabilities are vast and elusive, and the laws are fragmented and unclear. Perhaps the greatest challenges emerge from the significant, sometimes competing, domestic and foreign policy consequences impacting both government and business that ow from any proposed policy or legal response. These issues emerge at the intersection of technology, risk management, business, law, and strategy; successfully navigating them requires a sophisticated understanding of each of those diverse areas.

Government and industry bring a diverse range of resources, priorities, and perspectives to these issues that can sometimes compete. But, at a strategic level, they often are fundamentally aligned in their shared desire to develop effective strategic solutions to cybersecurity challenges.The key is determining how best to maximize the collective resources of business and government at that point of alignment.

Ultimately, the short answer is that no single actor (or group of actors) can figure it out alone. A strategic cyber- security solution mandates the combined resources and coordination of government and industry, within a practical framework that balances effectiveness with efficiency, and security with privacy and innovation. To reach that solution, we first need to understand the benefits, barriers and alternatives to effective coordination, and why the nature of the problem demands new and innovative forms of collaboration. In doing so, we will come to realize that the government and private sector already are innovating in the forms of collaboration necessary to address the cyber- security threat; next, the challenge will be to institutionalize and expand these means of working together […] Read more »

 

After the Breach: Cybersecurity Liability Risk

Cybersecurity’s evolving regulatory and liability landscape compounds the challenges that companies face from cyber attacks, and further complicates the ability of corporate executives and their advisors to understand and effectively manage cyber risk. Companies must prepare for and respond to a potential cyber attacks direct damage, including financial and data loss, system and service interruptions, reputational harm and compromised security. Cyber attacks also expose companies to diverse and uncertain regulatory and civil liabilities. Although these risks generally become apparent post-breach, they must be contemplated and managed proactively, before a breach occurs.

The decision-making of companies that are facing systematic and strategic cyber threats is, therefore, fraught with legal uncertainty about the implications of how they prepare for and respond to the threat. With piecemeal statutes and regulations, and emerging technologies, companies must navigate myriad potential sources of civil and criminal liability related to cyber incidents whose doctrinal contours are unsettled. Concerns include, for example, how to: Institute and monitor security protections; implement cyber incident response policies and procedures; disclose threat, vulnerability and incident information; and determine when, whether and how best to inform, and potentially cooperate with, government. In addition to the inherent difficulties in determining how to address these concerns, companies also must evaluate how each of those decisions may impact litigation risk.

These concerns are particularly acute because many of the most serious cyber vulnerabilities reside in privately- owned networks and systems, those systems often contain some of the most valuable information available about the nature of the threat, and, ultimately, steps to prevent and mitigate harms must be implemented largely by the private sector. Unless we understand better the factors shaping the private sector’s response to cyber harms, including the ways in which litigation risks shape strategic decisions about cybersecurity, it will be di cult to comprehensively address the threat. And while governments traditionally have been charged with protecting the national interest, that role, in a digital era, is increasingly also played by private companies. To the extent that an unsettled liability landscape shapes private sector decisions about investing in cybersecurity protections, disclosing cyber incidents to the public, and cooperating with government, the problem is no longer exclusively one of legal rights and remedies, but also one of strategic cyber preparedness.

Managing this shifting landscape requires executives, including at the board and senior leadership level, not only to con rm that adequate technological defenses are in place, but also to think strategically regarding how to create and implement corporate governance, and communication and response structures, to manage cyber risk. This means ensuring that the organization effectively can identify and address emerging regulatory and liability issues on both a proactive and responsive basis. Moreover, because systems can be compromised at any level, it also involves communicating (through training and protocols) the significance and means of properly managing cybersecurity risk […] Read more »

 

Is Your Vendor Risk Management Program Working?

As the saying goes, you can outsource most anything, but you can’t outsource responsibility.  Companies remain on the hook for ensuring their vendors are up to task when it comes to cybersecurity, privacy compliance and continuity of operations. This checklist can help determine the maturity of your vendor risk management program.

✔ We understand the vendor’s role relative to our business risk.

Knowing if a vendor is reliable requires knowing how they are being relied upon. It is worth considering how a particular vendor’s security failure might impact the confidentiality, integrity or availability of your employee records, customer data and business secrets, and whether their failure could put a halt to your operations altogether.

✔ We understand the vendor’s security relative to our requirements.

Just because a vendor is well known, does not mean their standard offering meets your company’s legal, regulatory, contractual and business security needs. Companies often take advantage of a cross-functional team of information security, legal, compliance, procurement, privacy and risk experts when making important vendor decisions.

✔ We ask the right questions and understand the response.

Vendor questionnaires are all the rage, but they are resource intensive for both parties. If your company uses them, do it right by assigning appropriate personnel to assess the answers, recognize gaps and potential remediation measures, follow your organization’s risk acceptance procedures and document decisions. Alternatively, consider accepting independent third-party audits and certifications, supplemented only as necessary for unique requirements.

✔ Our contracts are rock solid.

The Federal Trade Commission put it succinctly: “Insist that appropriate security standards are part of your contracts.” But, what are appropriate standards? Among other things, strong contracts take into account a company’s legal and regulatory environment, and often have provisions relating to specific security controls, compliance with industry standards, third-party certifications, data rights and privacy requirements, audit rights, insurance coverage, incident notification (and cooperation and information sharing if there is an incident), responses to legally compelled disclosure, data localization requirements, choice of law, restrictions on subcontracting, data destruction, SLAs and indemnification […] Read more »