Align Your Security Program With the Business
Information security used to be part of IT. That has changed recently; security now needs to be independently aligned with the business operations, not just IT operations. The PCI SSC calls this "Business as Usual" (BAU). NIST CSF talks about aligning cybersecurity requirements with business activities. I call this process information security governance and maintain a CSO Online blog
on this topic. For a recent post on an approach to alignment between security and the business, go here
Posted on 09/16/2016 5:26 PM by Frederick Scholl
Don't fall victim to BEC
Business Email Compromise (BEC) continues to be one of the most successful information security attack vectors. Criminals steal email addresses and passwords of C-level executives and then use this information to initiate fraudulent financial transfers from the executive's employer to the criminal's bank account. In this process the executive's home network is also vulnerable. It will likely contain sensitive information, including business account information. I discussed this risk and recommended solutions in my webinar "Cybersecurity Tips for High Net Worth Individuals and Small Businesses" last February, now posted on LinkedIn here.
Two new books cover the topic in more detail. I recommend both to security practitioners. The first is , by Raef Meeuwisse. The second is , by Adam Anderson and Tom Gilkeson. Both books adapt the NIST CSF to the home and small business environment. They will help you keep your clients' homes and home offices as secure as the corporate headquarters.
Posted on 09/11/2016 8:35 PM by Frederick Scholl
Enterprise Risk Management and Information Security
Enterprise Risk Management (ERM) has been around at least since the days of the Trojan Horse. Information security risk management can learn much from ERM and avoid reinventing the wheel. The National Association of Corporate Directors (NACD) made this clear in the 2014 handbook Cyber-Risk Oversight
. Principle #1 is to approach cybersecurity as an enterprise-wide risk management issue. For updated observations on ERM and information security, go to my CSO Online blog post "Don't be the next Humpty Dumpty"
Posted on 09/05/2016 3:04 PM by Frederick Scholl
Evidence Based Risk Assessment: Lessons Learned from the Y-12 Breach
My approach to risk assessment always includes analysis of actual breaches in an industry similar to the client industry. This is the evidence based component of risk analysis. On July 28, 2012, three protesters broke into the Y-12 Highly Enriched Uranium Manufacturing Facility (HEUMF) in Oak Ridge, Tennessee. While you may not run a nuclear complex, we can still learn from this incident. Much has been published about this break-in and how it could occur given the high priority placed on security at the facility. How did three people, average age about 66 years, break through three fences to an enriched uranium facility? Only the people who were there will really know, but a recent book by Steve Gibbs does give some insight into the events and aftermath. Mr. Gibbs was General Manager for the protective force vendor, Wackenhut, around the time of the break-in. His recent book, Behind the Blue Line (2015) is a rare look into the events surrounding any type of security breach. Here are some lessons I learned from this book. These are my own observations, not explicitly stated in Mr. Gibbs' book:
- Wackenhut was involved with 6 weeks of difficult contract negotiations with the guard union. This was finalized only the day before the above breach. Did anyone in management or labor take their eye off the ball? Did the negotiations contribute to the failure to detect the breach or take appropriate action?
- Failure to maintain security systems was clearly a contributing factor. The zone 62 camera simply was not working and had been out of service for five months. Maintenance of physical security equipment seems like an obvious necessity. Maintenance of cyber security controls is not top of mind with most organizations. Interestingly, a new service in this space, "Managed Tools Security Service", is now offered by Compliance Engineering.
- Some systems in operation at Y-12 were not tuned for effective use. One example was Argus, a physical intrusion detection system. It had recently replaced a legacy system that had been in use for 20 years. Argus had too many false positives to be effective, according to some of its users. This, of course, is a common problem with all types of cyber detection systems.
- Finally, one more contributing factor is that contract negotiations and budget scrutiny was taking place at exactly the same time as the July breach. This was in addition to the labor negotiations mentioned in #1. Previous reductions in funds had eliminated some of the guards that could have caught the intrusion before it got to the HEUMF.
The biggest failure is that Y-12 did not test its incident response plan or operational security monitoring. This would have highlighted shortcomings and hopefully led to corrective action. Conclusion: never trust a security control, unless it is regularly tested. Trust but verify everything. Mr. Gibbs' book is a worthwhile read, illustrating what it takes to secure a nuclear facility.
Posted on 09/03/2016 2:24 PM by Frederick Scholl