Learn about cyber security news and events from industry experts every month in our Cyber Defense Newsletter.
In the US, it’s been a very long election cycle. Don’t worry. We’re not going to get political here today. If we put aside all the issues and other particulars, there is one thing very interesting to think about from an information security centric point of view.
There’s nothing like the threat of someone knowing every item you ever put on a Wish List at Amazon for the last 20 years to motivate you to act. For a business, there are potentially much more embarrassing secrets and information at stake, but users don’t often feel that as viscerally.
The Commodity Futures Trading Commission (CTFC) recently approved a new set of cybersecurity guidelines that were outlined in proposals late last year. The CFTC rules will cover contract markets, derivatives clearing organizations, swap execution facilities and data repositories.
These are all services run by IT that secure your endpoints and your identities. Identity is now the perimeter for nearly all security. Who you sign in as and how you authenticate is vastly more important than where you are typing and what network you are on. More and more, security is not a part of IT, but its main focus.
If you’re reading this, then we have something in common. We’re often asked to justify the investment in information security with hard numbers. There have been few better allies in the fight to prove the need for cybersecurity spending than Ponemon Institute. They regularly produce meticulous, field driven studies on all aspects of privacy, data protection and information security. Recently they worked with IBM to release a report on the cost of data breaches around the world and broke down the factors that contribute to those costs. You can get the study’s full text online for free.
“There are massive issues with treating security as a set of policies and they can all be captured in one thought – security is a battle not a concept. If you go to battle with a plan, and never alter that plan when you find the facts on the ground have changed, you will lose. If the enemy gets your plan, then the enemy can counter it perfectly. If the senior generals feel the plan is done and the battle is won before the shots are fired, then there will be nothing you can do to get them to authorize tactics that may swing the tide when needed.”
“When you’re a security pro, there are a lot of conversation you’re accustomed to having over and over. There’s the ‘Yes, we should have the business review and approve security policy’ conversation. The classic ‘No, we can’t just give everyone all access to the share to make your life easier.’ There are some conversations, however, that most of us feel are already said and done. With all the breaches in the headlines that talk about stolen passwords, you would think the notion that passwords must be changed regularly is a pretty settled issue. I don’t expect someone to argue when I say ‘passwords should be changed regularly.’“
“Recently the FBI issued a warning about a rise in phishing attacks that are having a high success rate. The FBI is always tracking cyber criminals and how they are mounting attacks. What makes this one a little different is we can track it to a new trend in phishing – so called ‘CEO Fraud.'”
“In the punk anthem ‘Anarchy in the UK,’ the lyrics tell us that punks ‘Don’t know what I want / But I know how to get it.’ This seems exactly like today’s cyber bad guys. Most of the time they’re not even sure what they will get from your network, but they do know how to take advantage of the soft spots to gain access.”
“If you’re in the security business, then the only thing that could possibly be at the top of your mind right now is Apple vs. the FBI. Whether you look at it from a high level or in the technical details, the issues involved are complex and the implications are far reaching. Ultimately it all boils down to a simple question: Who can you trust?”
“Recently I spoke with an analyst who, when I mentioned the idea that we could take a sandboxing platform like FireEye and hook it up to an automated response, recoiled saying that would make him and most customers he speaks with very nervous. They have tried doing things like DNS shutdown and other malware remediation steps and have been burned as production work ground to a halt. However he immediately saw the difference when I walked him through the idea of simply rotating credentials at the point in time of an active attack as a response, a response that would cut off the attacker’s access to the privilege needed to succeed…”