Wednesday, October 30, 2013

How and why the Chief Information Security Officer role is evolving?

A new standard for security leadership

How can security leaders help achieve business objectives?

Am I doing enough to protect our enterprise?

How can I measure success?

These questions come up time and time again for Chief Information Security Officers (CISOs) and other security leaders. Just as technology constantly evolves and threats shift, the needs of the business change with regards to security and risk. Security leaders have to constantly reassess, adjust, and improve their skills. Those with the right combination of business practices, technology maturity and measurement capabilities are evolving into more versatile security leaders.


Download full graphic version from here.

Monday, October 28, 2013

Collaboration among various sectors is must for protection against cyber-attacks

Information sharing can facilitate, the more effective fighting efforts against cyber-attacks

Sharing information about cyber-attacks is making a difference in the banking sector, helping bring criminals to justice and curbing fraud losses. And other sectors should learn from banking's example.

It's important for information security professionals to continue their efforts to get senior executives to buy in to the need for cross-industry collaboration. Informal sharing of cyber-intelligence has for years been a common practice among cybersecurity warriors in the trenches.

This type of information sharing, however, often has gone on in the background without the knowledge of upper management. That's because many executives are fearful of revealing too much or sharing with competitors their security vulnerabilities. But that attitude is, slowing but surely, changing.

What's more, the intelligence the financial industry has gathered over the last 12 months about al-Qassam and other attackers was shared with law enforcement, government and others. In fact, much of the information federal investigators gather about cyber-espionage and cyber-attacks comes from the financial sector first.

Those kind of partnerships are needed in other industry sectors as well. Cyber-attacks affect numerous industries, from hospitality and retail to healthcare and government. The more information sharing these sectors can facilitate, the more effective fraud-fighting efforts will be.

Wednesday, October 23, 2013

Aligning Security with GRC

How to Leverage GRC for Security?

Governance, Risk & Compliance (GRC) has long been viewed as a framework for tracking compliance requirements and developing business processes aligned with best practices and standards. It plays a strong role in helping security teams understand the business and to protect the organization from threats

But now, more security professionals are turning to data collected by GRC tools for insights into the organization's processes and technologies. The insights gained can help them to develop better controls to protect the organization from cyber-attacks and insider threats.

As part of GRC programs, organizations document processes, specify who owns which assets and define how various business operations align with technology. Security professionals can use this information to gain visibility into the organization's risks, such as determining what servers are running outdated software.

GRC programs collect a wealth of information and insights that can be valuable to security professionals as they manage risk and evaluate the organization's overall security posture. It provides the business context necessary to improve areas such as asset and patch management, incident response and assessing the impact of changes in technical controls on business processes.

Asset Inventory

Many compliance programs, including those for PCI-DSS [Payment Card Industry-Data Security Standard], require organizations to extensively document each asset and identify who uses it for what purpose. The documentation includes information about which business processes rely on which hardware and software. Mapping a piece of technology to a particular business function makes it possible to better identify the risks and the impact on operations if that technology is compromised.

The inventory process may identify equipment that the IT department was previously unaware of. By understanding the business processes that rely on that equipment, security teams can decide what kind of firewall rules to apply, better manage user accounts and learn what software needs to be updated. Understanding who the end-users are and how the asset is being used helps security teams assess how to prioritize the risks and plan how to reduce them.

Security professionals can use GRC programs to understand how technology maps to certain business processes and functions, says Mike Lloyd, CTO of Red Seal Networks, a network security management company. This information can help them figure out what the key threats are and identify ways to mitigate that risk, he says.

Incident Response, Controls

Security professionals can also use GRC to improve information sharing across the organization and streamline incident response. For example, because GRC makes it clear what kind of business processes depend on which assets, security teams have a clear path of who should be notified when there is a security event. Incident response teams can also look at all related processes and be able to identify other assets they should investigate to assess the magnitude of a breach.

Summary

Security professionals must understand the need to move away from a technical view of risk to a more strategic one when evaluating and deploying controls. They should evaluate how certain technical controls, while improving security, can impact business functions, and make necessary adjustments.

GRC enables security professionals to "draw a line between what security tasks are necessary and what business is concerned about.

Tuesday, October 22, 2013

How Would People React and Deal with an Attack on the Electrical Grid?

Could a cyber attack destroy the electrical grid and leave the nation powerless and in the dark for days, weeks or even months? Would we be prepared, or would chaos ensue?

On Oct. 27, National Geographic will premiere “American Blackout,” a movie that tells the story of a national power failure in the U.S. caused by a cyber attack. The film is told in real time, over the span of 10 days, by the characters depicted in the film who kept filming on their cameras and phones. It will air on the National Geographic Channel.

According to Richard Andres, a consultant for the film, the threat isn’t all that far-fetched. “This was a dramatization of something that is not unrealistic. We don’t need to be this vulnerable. But the first step is people need to be aware that this is a problem”.

The film depicts a nationwide power outage caused by a cyber attack. It takes a point-of-view look by different characters affected by the blackout. Some of the characters depicted include a doomsday prepper family, a family awaiting the birth of their second child, and a group of college students stranded in an elevator.

As depicted in the movie, ATMs would not work and neither would credit cards. Andres said that 20 years ago people were more reliant on cash, which would be able to keep commerce going. But now people are more reliant on virtual money, which would stop commerce.

Andres consulted the film and reviewed the script for elements of realism. He told the creators what scenarios he believed were realistic and said he thought that the movie put the experience into terms that the average viewer could relate to. Although many families are not prepared for an event like this, the doomsday preppers in the film had enough food to last them two years. And although he wouldn’t say if that was extreme or not, Andres said food and water are essential and he would advise people to have more than three days worth on hand at any given time.

Sunday, October 20, 2013

Basic Tips To Protect Mobile Device

Mobile owners should pay attention to mobile device safety!

Mobile communication has never been this cool, from the traditional SMS and call features, we can now enjoy desktop experience via smartphones and tablets. However, aside from the health risks associated with excessive use of cell phones, the advent of mobile internet has raised the risks too.

It is common that most of us protect the hardware and exterior of our phones, but do not exert enough effort to protect the OS and contents of our phone from hackers, and strangers who can get hold of our misplaced or stolen smartphones.

Allow me to share with you some tips I thought will give basic protection so private photos or videos, debit/credit card credentials, and other private information will not be at the mercy of other people.

  • Use password to open your phone, make a purchase and open a file (if available). The inconvenience it’ll bring is nothing compared to the risk involved.
  • If available, activate the “find my phone feature” of your phone.
  • If available, activate the feature that can remotely erase contents, or reset of your phone.
  • If available, activate a “kids safety feature” of your phone- this will prevent your kids from accessing apps that are not kid appropriate, or accidentally altering the configuration of your phone or erase some data.
  • If available, use an anti-virus solution for your phone
  • Take precaution when connecting to public hotspots.
  • Do not click links attached to an email, direct messages, or status updates in your timeline. Verify first w/ the sender. These links normally downloads a malware or give permission to hackers.

As a general safety reminder, do remember that the currency we use to pay for the “free” apps and games we download are the information associated w/ our account- these may include our location and contacts. Please read carefully the privacy policy and terms of service for each app.

Thursday, October 10, 2013

Creepy Way Facebook Advertisers Use You!

How Facebook Is Using Your Photos in Ads?

Gmail isn't the only online platform guilty of repurposing your photos. Facebook and its advertisers, too, have become really good at using your image to inspire your friends' confidence in the products they are pushing.

A friend who recently experienced this said, "I did not realize that 'friending' [a company on Facebook] to get coupons probably means I've agreed to be used in their ads. Seeing a friend's picture [used this way] makes me suspicious my picture is doing the same thing on other people's Facebook pages."

What I find particularly interesting is the way Facebook explains away its practices with this statement, (which you can see for yourself if you follow the prevention steps below): "Everyone wants to know what their friends like. That's why we pair ads and friends."

Fortunately, there is a way to stop Facebook from using your profile picture in advertisements.

1) Go to "Privacy Settings"
2) Click on the "Ads" tab on the left hand side.
3) In the Third Party Sites section click on "Edit"
4) In the drop down menu, click "No one" and then "Save Changes"
5) In the Ads & Friends section click "Edit"
6) In the drop down menu, click "No one" and then "Save Changes"

NOTE: You cannot opt out of receiving Sponsored Stories, which are essentially another type of ad. If you like a story on a brand page or share that you engaged with a brand, that brand can pay Facebook to ensure that it shows up in yours and your friends' timeline feeds.

Tuesday, October 8, 2013

How Much Information You Are Leaving Online?

Do you ever feel like you're being followed?

Perhaps that's because you are. While it may not be the boogeyman who's hot on your trail, there are many groups of watchers who have made it their business to know as much about you as possible.

Each day, we are tracked by the 'smart' systems, mobile apps, personal communication devices and other surveillance platforms that have become commonplace in our daily lives. In an effort to educate more people about the data trails they are leaving behind (and the companies, data bureaus and marketers who are sniffing out that trail).


How comprehensive profiles Google is capable of building based on all the information we voluntarily share?



How valuable your online information is to burglars?


Notice all they can get off of *your* social network sites...and those of your friends, family and co-workers. Be aware of what you put out there!

For those of you in charge of or influencing your company privacy policies, consider how you are gathering and sharing your customers' data. Are you doing so in a manner that is transparent and compliant?