Implied Warranties for IoT Devices

IoT

Who is responsible for IoT security?  What about implied warranties?

There are increasing concerns around the security of devices on the Internet of Things given the recent weaponization of many devices to launch  DDOS attacks. The specific issues involved poor design and default configurations. Should security be baked in or bolted on after the fact? Continue reading

Addressing the IT Skills Gap

Cyber Incident

Cybersecurity skills are some of the most in-demand skills in the IT world of today.  Hiring managers and recruiters alike lament the lack of skilled candidates leaving positions unfilled and salaries escalating for the limited pool of qualified candidates.  I agree that the pool in which we are looking is small; we need to look in a larger pool when addressing the IT skills gap. Continue reading

Privileged Accounts For Vendors

Policies

Most organizations implement controls around privileged account access  for IT staff and administrators which includes revoking access upon employee termination.  But what about vendors or managed service providers?

An interesting case came my way today from a team actually in the MSS (Managed Security Service) space.  They received a call from a former customer who was decommissioned over two years ago seeking urgent support.  As it turned out, the customer, a MAJOR US bank, (think “too big to fail”), needed the administrative login and password to a firewall they had long since forgotten.  After challenging the caller based upon prior challenge/response detail on file, the credentials were provided to an authorized individual on behalf of the customer.  No further updates conveyed as to whether this worked, although it does call into question controls around vendors.

Two years?   Not only was a security device “lost” but the credentials may not have been changed when there was a change of vendor?  This raises concerns on many levels and is particularly alarming coming out of the banking industry.  While I absolutely know the name of the bank, for ethical reasons I will not disclose the name here although I may make a courtesy call to the CISO.

The takeaway here is  to always monitor and review vendor accounts.  Vendor access absolutely must be disabled upon contract termination.

Resiliency Against Cyber Threats

FAA Cybersecurity Safeguards

Twice this week the WSJ has published articles related to the FAA, and cybersecurity in the aviation industry.  Although there are yet no documented cases of cyber terrorists bringing down an aircraft, one does have to wonder what the flying public may not know in light of the recent Egypt Air crash which has yet to be explained. Continue reading

See Something, Say Something

We have all seen the saying “see something, say something” in airports and various public places advising the traveling public to report suspicious items and events.  Likewise, as business leaders, we encourage our employees to report information security incidents so that we may investigate and improve upon our security posture.  Do businesses take matters seriously when reports are made?

Continue reading

Your Undies are Showing

Ok, so the title of this post may lack any reference to cyber security.  However, there is an analogy to be made here if I may beg your indulgence for a moment.

Most of us grew up hearing this term from our mothers a time or two whereas we needed to adjust ourselves to a more respectable state where our undies no longer showed outside our clothes.  Being always on the lookout for an opening line to meet a new person, this one came to me while getting off a plane. Continue reading

What Can Hillary Teach us About Cybersecurity

It is nearly impossible to pick up the morning newspaper or go online and not be confronted by another story about the emerging saga of Hillary Clinton’s email scandal.  While of course, much of the dialogue is politically based, there are deeper lessons to be learned here as the situation is really a common occurrence in the business world and as we now see, in the public sector as well.  Whether Hillary’s actions were legal or illegal is a matter for the FBI, the Department of Justice, and ultimately the courts and public opinion to decide.  There are however a very basic cybersecurity lesson to be learned from the events.

Continue reading