More Perspective

In my last blog post, I discussed the history of the CIS 20 Critical Security Controls and the relevance they hold for organizations today. In my second post on this topic, let’s dive a bit deeper in CSC 2 security control, which is very tightly aligned with CSC 1 (Inventory of Authorized and Unauthorized Devices) control.

I think we all agree that a successful cloud strategy is important today. In fact, for most organizations, it’s imperative. Global competition and rising costs are driving businesses large and small to explore ways to integrate more cloud services into their operations. In fact, according to Gartner, the public cloud services market will reach $246 billion in 2017, an 18% increase from 2016.

In 2017, the industry saw the birth of security automation. As it continues to grow from infancy into something more robust, now is a good time to reflect on what it is and what operational impacts it is having on our systems.

As most of you are aware by now, researchers have discovered a set of critical vulnerabilities in all Intel CPU hardware, currently impacting the vast majority of devices in the wild. These devices include desktops, servers, mobiles devices and appliances, regardless of Operating System and whether they are located in the cloud or on premises.

The modern world of information security can often be a confusing one. Security practitioners are continually inundated with a barrage of data coming from reports, alerts, security tools, threat feeds, and more. At the same time, they are trying to align this data with the multiple security requirements, regulatory mandates, best practices, and frameworks that define their environment. Unchecked, the sheer volume of information can easily paralyze an organization from taking action when necessary. The ‘Fog of More’ can essentially become the larger threat to the environment.

As we get closer and closer to ringing in the New Year, threat actors remain very busy attempting to intrigue us with phishing campaigns that promise great deals on products and services. In an effort to keep these final weeks of 2017 as joyful as possible, below are a few tips to stay ahead of the Grinch as he looks on with a malicious grin over your data.

“Big data.” “Data analytics.” “Big data analytics.” All of us are familiar with these terms, aren’t we? In fact, these words have been part of our vocabulary for long enough that they sometimes get used interchangeably. But that can lead us to make some false assumptions.

For nearly ten years, I’ve looked forward to the release of Verizon’s annual Data Breach Investigation Report (DBIR). With its analysis on the thousands of breaches and incidents from across the globe, occurring over its last full revolution around the sun, which cybersecurity pro among us does not look forward to such a treasure trove of insights and predictions to guide our focus for the coming year?

In looking at definitions of DevOps, I found a general consensus that DevOps is primarily about enabling “cultural shifts” and increasing “collaboration” among technology development and operations/infrastructure teams. A much smaller emphasis is placed on the automation processes around delivering software and infrastructure changes. While I know I’m going to ruffle some feathers with this view, I am going to say it: we need to stop confusing the process efficiencies needed to reach DevOps excellence with the need for broader (and important!) organizational change.

There is a veritable cloud gold rush occurring today. CIOs are declaring “cloud-first strategies” while companies are pasting “cloud” onto any and every product they have. Their hope is to hit pay dirt amid uncharted and widespread IT transformation. As with most euphoric and rapid endeavors, reality is setting in for those who have made the journey to the cloud. Big payouts require work. For the cloud, a lot of that work happens at the application level.

Organizations are inundated with the latest security solutions and “expert” opinions on what they should be doing. In many cases, it might make more sense to take a step back and decide on a framework to map your current security posture against and get back to basics in developing solid cyber hygiene. One of these frameworks would be the Critical Security Controls (CSC) published and maintained by the Center for Internet Security (CIS).

Are you struggling with security? If so, you’re not alone. Security gets harder every year. Thanks to digital business and mobility, you need to guard more attack vectors than ever before. Product updates and new software innovations often result in new vulnerabilities—and hackers are getting craftier and more adept at exploiting them.

Well it’s been an interesting start to the week to say the least. We all woke up Monday to read about a new wireless vulnerability labeled KRACK, or key reinstallation attack.

March 1, 2017 marked the date in which the NYS Department of Financial Services announced their compliance requirements for all covered entities that do business in New York State

You can’t go to a conference or look at an article without hearing or reading something about data analytics. As an industry, we’ve gone from the recognition that we have all of this data (i.e. Big Data) to focusing on how to derive insight and value from that data. It’s been part of our world for so long that the term “Big Data” isn’t used in the same way it was before —we just talk about data. The scope and complexity of it is understood.

Today, most organizations struggle through a myriad of complexities associated with purchasing and managing software licenses. Apart from dealing with differing termination dates and compliance, the permissible usage of a license can also be governed by elements such as named users, concurrent users, perpetual use, subscriptions, and negotiated volume discounts. Licenses can also be tied to specific hardware devices limiting the manner by which they may be transferred.

Ever feel like you’re fighting a losing battle? Your organization is pretty diligent when it comes to security. You have firewalls at the perimeter between your internal networks and the Internet. You have an anti-virus product deployed on every laptop, desktop, and server within your organization and the updates are kept current. You may have even deployed an application-aware next generation firewall, an IPS, or a SEIM/SEIM to collect and correlate security events from many data sources. Yet, despite your best efforts, your end users still manage to become infected with malware—or perhaps even ransomware. You may ask yourself, “With all of this protection in place, how is this possible?”

Want to move more data and apps into the cloud, but you’re hesitant to do so because of security? It’s a valid concern. After all, protecting your sensitive data is your responsibility. When you put your data in the cloud, you’re taking a risk. It’s a calculated risk, one you’ve thought about carefully. But nonetheless, it’s still a risk.

The world is changing rapidly, and we’re starting to see cracks in the security controls we’ve come to rely on in our digital society. Even Equifax, one of the largest credit reporting organizations out there, has suffered a data breach. I’m often asked by friends and family how I react to the news and what I recommend, so I thought I’d share my suggestions with you

Information security is a top concern in every industry. In 2015, the percentage of reported data breaches caused by hacking incidents increased 8.4 percent over 2014 numbers to reach the highest value in nine years (37.9 percent), according to a report from the Identity Theft Center. Cyber crime is a sophisticated criminal enterprise, and billions are lost annually through breaches of businesses, healthcare organizations, and government entities; and yes, educational institutions too.