Answer, it’s both.
Manufacturing is plowing full-speed ahead into the siren-like song of the Industrial Internet of Things (
Musings of a Corporate Consigliere
Thoughts & Advice on Consulting Challenges
Answer, it’s both.
Manufacturing is plowing full-speed ahead into the siren-like song of the Industrial Internet of Things (
Popular culture has done one thing for the cyber security profession; make it seem relatively cool. A standard crime or action drama has trendy cyberpros, fingers dancing on slick keyboards while reams of incomprehensible text or graphics scroll smoothly by. These folks are abnormally attractive, luxuriously ensconced in palatial trendy offices who report to serious, considerate, worldly leaders.
Sadly in reality the script is entirely flipped. Most security folks desperately try to make the case for an organization to patch their hardware, eliminate access to insecure consumer technology and make do with skimpy budgets. Security tools are purchased without training or robust implementation services, staffing is minimal and technology and security risks remain unmanaged at the enterprise level. Offices are micro-cubicles that are harshly lit with soul-sucking corporate florescent. No tasteful coffee bars or inviting work nooks to be found. Plus I look exceptionally stupid in slouchy beanie.
One area that meshes with TV reality is the plethora of security tools in the enterprise space. Firewalls, IDS/IPS, SIEM, Endpoint, Asset Managers, Vulnerability Scanners, Policy tools, ad infinitum. Over a dozen screens with hundreds of reports, alerts and klaxons complete for the few infosec folks who attempt to reduce the risk of a data breach on a daily basis. With the enterprise security market flooded with products equivalent to the melon baller, security vendors are churning out more products that 80 percent of the market will never use or at least use effectively. [Read more…]
When the HITECH Act of 2009 and Final Rule for HIPAA passed in 2013, the security of vendors and third parties became a concern for covered healthcare entities; big and small. Whenever a partner connects to your network and has access to your Protected Health Information (PHI) you are on the hook for their privacy and security readiness. The lack of a Business Associate Agreement (BAA) or other excuses no longer apply. This includes all entities that handle PHI, even dentists. For some reason a lot of dentists don’t believe HIPAA mandates apply to them.
With this in mind the FBI released a Private Industry Alert “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information” on March 22nd to be alert healthcare entities of (File Transfer Protocol) FTP server vulnerabilities, quote:
The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI [Protected Health Information] or PII [Personally Identifiable Information] is not stored on the server.”
Over the last twenty years or so the Project Management discipline has risen obscurity to an integral part of corporate life. If you are reading this from the cubicle farm chances are gaggles of contract project managers are generating countless spreadsheets that dutifully filled out with carefully curated data. This data may or may not be plugged into a vast, unwieldy PMO tool. That data will flow to the various managers and directors who vaguely review the information in status reports. From there it fall into the great bitbucket never to be seen again. Unless a project is heading toward failure, then it will be used to clobber parties who lack the right political protection. That is usually the sad contract project manager who originally created the spreadsheet. Of course the PM is supposed to be part of a project team that should include project coordinators, business analysts, approved budgets, PMO resources etc. Instead, the PM is usually the only management resource assigned to the project. They’ve come in two or three months into the execution phase, there aren’t any requirements, the last PM was fired or left and by the way you have six other projects like this that you are responsible for.
So how did the project management role become the fallguy/girl for the corporate world? If the above statements hold up, how is the project they are assigned to going to be a success? How did the profession get to this point and what can be done to reverse the trend?
More dispatches from the front for this week’s post. Cloudflare, a premier cloud hosting and security provider was compromised back in September 2016. Several lines of faulty code in an HTML parser allowed user session data (cookies, credentials, keys, tokens, etc.) to be scattered about unrelated web sessions by the millions. This data was apparently spread in plain-text and is very difficult to remediate since the information was randomly dropped into unrelated sessions across a massive customer base. According to Cloudflare, the worst data leakage occurred between February 13 – 18th 2017.
I was approached by Snapmunk to provide commentary on this issue, which I did. However I have also have provided similar advice to clients more times than I care to count. We can point back to when the Heartbleed bug was identified back in 2014 but had been running rampant since 2012. Remediation of this issue isn’t the investment of a boatload of expensive tech solutions but can tackle this problem
Here a few of the tips I have provided:
1. What steps would you advise businesses affected by Cloudflare’s data leak take following the leak? How should they go about damage control?
They should immediately activate their breach incident response program. Then coordinate with Cloudflare on a daily basis to ensure they have the latest information on the scope and impact of the Cloudbleed breach. Depending on where the company is located they may have to contact state and local authorities that they have been impacted by the Cloudbleed.
The most proactive damage control would be to contact the users of your company’s services immediately. State what actions you are taking to address the breach and have a defined plan to follow up with those customers to keep them informed.
Internally these companies must review their security posture from top to bottom. Ensure that the CloudBleed incident did not compromise credentials that can access corporate assets and cause further security breaches in the future.
2. What can we learn from a breach like this?
We can assume that Cloudflare was using the latest security technologies with a focus on a “Defense-in-Depth” strategy. However one error in a line of code invalidated millions of dollars in expensive technology. The takeaway for both consumers and companies is no technology service is 100% percent secure. Companies will need to aggressively review software for vulnerabilities. This will sometimes mean very expensive software migrations from legacy applications. On the consumer side, customers have to realize that using the same password for multiple sites, especially sensitive ones, is a very bad idea.
From the Department of Redundancy Department here comes another set of regulatory hilarity that will definitely impact both business and security professionals alike. I give you the GDPR!
The General Data Protection Regulation (GDPR) is very similar to the U.S. NIST, PCI DSS, and HIPAA data security standards. Like U.S. HIPAA or PCI rules, GDPR lays down a foundation of data security and privacy requirements, how consumers can access and transfer their data, fines and penalties and how GDPR applies to EU member states.
GDPR will impact information security products and services globally. Security vendors will have to incorporate GDPR standards into their products and InfoSec professionals will have to be familiar with the various privacy and security rules within GDPR. However EU members have until May 28th 2018 before compliance becomes mandatory.
Information Security Professionals must have more than a passing knowledge of the various rules and regulations that impact the management of the enterprise data in their charge. InfoSec pros must be familiar with local, state, federal and international privacy and security guidelines that govern the confidentiality, integrity and availability of the data they protect. Knowledge of legal and regulatory frameworks is becoming as important a skill as proficiency in the security technologies they use to protect sensitive data.
I’m rather surprised the Certification Industrial Complex hasn’t jumped at the chance to create an overall certification for the mountain of legal and regulatory guidance that governs privacy and security. Maybe having a law degree will be the next prerequisite that HR folks will require for employment. I can see it now, “Corp X req: must have a law degree, CISSP, CRISC, PMP, MBA, 15 years experience. 6 month engagment @$45 per hour.”
Let me know your thoughts in the comments below.
A reoccurring theme in Information Security and Technology is the issue of communication. While this trope has been on the books since the 90’s there hasn’t been much progress toward a lasting solution. Executives appear to be ill-informed of technology risks, issues, needs and wants while those in the tech & security trenches complain bitterly about the apparent cluelessness of leadership.
After a recent conversation with a client about this apparent disconnect, I’ve attempted to sum up the current state of this ongoing problem as well as provide a few tips on how to clear up some of the clutter.
What priorities are not getting through from IT security to the board and C-suite?
What is not translating in the other direction, from the top down?
What are the cultural and other differences between the two extremes that are garbling communications?
How do we fix the communications process and deliver the key points from each end to the other with sufficient clarity and weight?
Let me know your thoughts in the comments below about my approach. What are your ideas on how to help solve these issues?
Is cyber-liability insurance a must have for today’s enterprise? How should an organization go about evaluating adding this type of policy to their other stable of risk management vehicles? Let’s take a look at the current market and a few of the questions that need answers before a company invests in a cyber-liability policy.
Cyber-liability insurance is gaining in popularity as a supplement to Commercial General Liability policies (CGL) and could be a good investment for a business looking to hedge their risk. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach. Companies in the healthcare and financial sectors should seriously consider obtaining one of these policies due to the regulatory burden and potential non-compliance penalties these industries face.
Is the cost worth it?
Currently, the cost of cyber-liability policies are quite low. However, with a record number of data breaches in 2015, the cost of these policies is climbing quickly. However they are still quite reasonable. Based on a small breach of 100,000 client records, an enterprise would pay nearly $50k in postage for sending notification letters alone. Most cyber-liability premiums, based on revenue, size and industry hover between $1500. Large multi-billion dollar firms may pay up around $50,000. [Read more…]
The model(s) behind technology spending has been changing dramatically over the last several years with virtualization, consumer devices and “as a service” offerings complicating the procurement process. While they offer tremendous opportunities for astute technology consumers, there are also significant risk that the unprepared enterprise technology consumer may realize with insufficient information.
Add to this the increasing cybersecurity concerns, regulatory compliance regimens and staffing issues; even the largest firms are facing difficulty making informed decisions.
One of the questions I get from my small business clients is how can I perform technology audit to take stock of what it has, identify gaps, and create a plan for new tech purchases?
The first step would be to look at your enterprise strategic plan. What are your business goals for the next three years? What technologies would facilitate reaching those goals? Do you have technologies in house that fill that need currently? Can they be upgraded or configured to meet these objectives? If not, what technologies are available (Cloud or on-premise) to meet your objectives?
These very high level steps fall into the basic strategic planning process, governance and portfolio management. [Read more…]
Is there hype and hysteria around security breaches? Is this going to give rise to a cyber-industrial complex? These questions were recently posed to me by a client at a large insurance company.
Well, let’s look at the current situation. Security breaches are growing in scope and visibility due to the increasing automation and interconnected systems, mobile devices and the sharing of personal data. The financial incentive is there for the criminal, nation-state, malicious actor to perpetrate these crimes.
Cyber-security preparedness in the business community, while becoming more visible in recent years, is still far behind the curve when compared to those who wish to commit cybercrime. There is still a tremendous disconnect with employees and general public regarding the current security threats and what impacts their behavior have in propagating or thwarting a breach.
People should be concerned about security breaches since personal data can be used to damage or destroy an individual’s financial and even personal life. An example of this is the OPM breach were millions of pages of security forms were stolen that contained intimate details of individuals. These can and will be used for leverage against those federal employees in sensitive positions within the government by malicious actors.
Are cybersecurity companies using these incidents as a means to feed the hysteria behind breaches? Of course they are. You see this in any industry when a company sells a product or service that can remediate concerns faced by that industry. However, security is still a comparatively low priority at the executive level within corporations. This is changing, but it remains bailiwick of technologists who have minimal say in enterprise decision making. [Read more…]