Yesterday’s outage at Amazon is a timely reminder of our need to have a contingency plan. Once services are moved to the cloud, we must take into consideration the impact to the business caused by the unavailability of the cloud services.
Who is responsible for IoT security? What about implied warranties?
There are increasing concerns around the security of devices on the Internet of Things given the recent weaponization of many devices to launch DDOS attacks. The specific issues involved poor design and default configurations. Should security be baked in or bolted on after the fact? Continue reading
Well-structured security policies are a necessity for business organizations regardless of size. Without effective policies, there is no governance and no effective security program. In order to be effective, policies need to be supported by effective controls which can be either physical, procedural, or technical. Continue reading
This morning’s WSJ had an interesting article, “Corporate Judgment Call: When to Disclose You’ve Been Hacked.” The concern raised was that although hacks and data breaches are more common, few are reported to the SEC as required. Continue reading
Cybersecurity skills are some of the most in-demand skills in the IT world of today. Hiring managers and recruiters alike lament the lack of skilled candidates leaving positions unfilled and salaries escalating for the limited pool of qualified candidates. I agree that the pool in which we are looking is small; we need to look in a larger pool when addressing the IT skills gap. Continue reading
Most organizations implement controls around privileged account access for IT staff and administrators which includes revoking access upon employee termination. But what about vendors or managed service providers?
An interesting case came my way today from a team actually in the MSS (Managed Security Service) space. They received a call from a former customer who was decommissioned over two years ago seeking urgent support. As it turned out, the customer, a MAJOR US bank, (think “too big to fail”), needed the administrative login and password to a firewall they had long since forgotten. After challenging the caller based upon prior challenge/response detail on file, the credentials were provided to an authorized individual on behalf of the customer. No further updates conveyed as to whether this worked, although it does call into question controls around vendors.
Two years? Not only was a security device “lost” but the credentials may not have been changed when there was a change of vendor? This raises concerns on many levels and is particularly alarming coming out of the banking industry. While I absolutely know the name of the bank, for ethical reasons I will not disclose the name here although I may make a courtesy call to the CISO.
The takeaway here is to always monitor and review vendor accounts. Vendor access absolutely must be disabled upon contract termination.
Twice this week the WSJ has published articles related to the FAA, and cybersecurity in the aviation industry. Although there are yet no documented cases of cyber terrorists bringing down an aircraft, one does have to wonder what the flying public may not know in light of the recent Egypt Air crash which has yet to be explained. Continue reading
We have all seen the saying “see something, say something” in airports and various public places advising the traveling public to report suspicious items and events. Likewise, as business leaders, we encourage our employees to report information security incidents so that we may investigate and improve upon our security posture. Do businesses take matters seriously when reports are made?
Ok, so the title of this post may lack any reference to cyber security. However, there is an analogy to be made here if I may beg your indulgence for a moment.
Most of us grew up hearing this term from our mothers a time or two whereas we needed to adjust ourselves to a more respectable state where our undies no longer showed outside our clothes. Being always on the lookout for an opening line to meet a new person, this one came to me while getting off a plane. Continue reading
It is nearly impossible to pick up the morning newspaper or go online and not be confronted by another story about the emerging saga of Hillary Clinton’s email scandal. While of course, much of the dialogue is politically based, there are deeper lessons to be learned here as the situation is really a common occurrence in the business world and as we now see, in the public sector as well. Whether Hillary’s actions were legal or illegal is a matter for the FBI, the Department of Justice, and ultimately the courts and public opinion to decide. There are however a very basic cybersecurity lesson to be learned from the events.