Skip to main content

Corona Virus (COVID-19) Scams

By Cyber Security No Comments

Criminals seldom let a good opportunity evade their pursuits to further their criminal enterprises. We are beginning to hear from a variety of our customers that the COVID-19 scams have begun. Please educate your staff that these scams are coming in and they will cause you problems. Feel free to share this email: It is critical that while we are preoccupied with COVID-19, we do not allow criminals to profit from others’ tragedies!

Here are a couple of examples;

  • I received a call from the IRS and FBI (same call, one person) telling me that the US government cares about the success of my business; they wanted to give me money to help keep my business running. They needed my ACH information to send the money. Because it is such an emergency, they don’t even need an application.
  • I received a call from a customer last night stating that “A very legit-sounding lady” is calling their staff, saying: “Hello, this is Nurse Jen calling to follow up on your tests from yesterday. Unfortunately, you DID test positive for coronavirus. No need to panic but call us back with your credit card handy so we can overnight you your antibiotics. It’s important that you and any family or roommates STAY HOME. Call us so we can get you your meds and give you further quarantine instructions.”
  • There are also a ton of calls regarding the sale of test kits and other items that relate to this virus.

These scams are coming via email, text messages, online, and telephone calls. Please take the following precautions;

Personnel Related

  • Teach employees to avoid clicking links or attachments in email; they can use www.VirusTotal.com to test links and attachments.
  • Calls, text messages, and emails that sound too good to be true; usually are;
  • The government is not going to call you and ask you to provide account information so they can send money to you!
  • You do not likely have relatives in countries you cannot pronounce. If you have a relative who is traveling; contact him, her, or them directly through a number you KNOW to be accurate.
  • The government is not giving out free iPhones to help in communications.
  • If you are ill and you went to the hospital for a test, please check with the hospital directly. If they call you, make an appointment to go in.
  • Hospitals and real pharmacies are the only trustworthy source of anything medical.
  • Be wary of any link that purports to tell you anything about the COVID-19 virus. Please visit proper news sites; CNN.com, foxnews.com, msn.com, etc.
  • The Federal Trade Commission (FTC) says;
  • “Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying they have information about the virus. For the most up-to-date information about the Coronavirus, visit the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).
  • Ignore online offers for vaccinations. There currently are no vaccines, pills, potions, lotions, lozenges or other prescription or over-the-counter products available to treat or cure the Novel Coronavirus disease 2019 (COVID-19) — online or in stores.
  • Do your homework when it comes to donations, whether through charities or crowdfunding sites. Don’t let anyone rush you into making a donation. If someone wants donations in cash, by gift card, or by wiring money, don’t do it. ”
  • Employees should validate any emails they were not expecting by calling the person.
  • Many of these emails have good indicators such as misspelled words, capital letters in places we do not usually place them, conflicting attachments (e.g. attachments that include an invoice and a contract. Shouldn’t the contract be in place prior to an invoice?), orders to immediately send money to someone who is higher up in the company than you, language problems (misuse of the English language), etc.
  • Any email that directs a person to make a payment should be validated by calling the person (at a phone number you know, not the one in the email) and validating their request. We recommend a company policy against the use of email for ANY transactional events; the email could be easily spoofed.
  • When in doubt, the users should have a known number to call for reporting the event; we recommend rewarding such reports. A simple $1 certificate and quarterly “Phish finder” award enables a positive reinforcement of good behavior.
  • We also recommend that users be trained that anytime an email, an embedded web link, or any other factor of an email requesting a password, they immediately report it and that they not provide their username and password.

System/Corporate Related

  • Incident response is CRITICAL; if you receive a report of a phishing attempt of another security issue; you must respond quickly.
  • While providing a complete Incident Response playbook is out of the scope for this alert, when dealing with these types of attacks, you should profile the attack and block anything that can be blocked. For example, I could block the domain the email came from, the website it is taking me to, the IP address range of the attacker(s), etc.
  • The information gathered, should be used to alert the rest of your company and to search for users who fell for the scam. For example, if there is an embedded link in the email, you can search your web proxy and/or firewalls to see who went to the site. You can search email proxies for who sent email to the person.
  • Any passwords that were shared with the criminals should be changed; many times, end users fail to tell us that they sent their password(s). You should ask them and ensure they know that they will not be in trouble if they tell you.
  • Have solid, tested backups of everything that is important to you. Please ensure that these back-ups are kept isolated from production systems and that they use different credentials.
  • Use web and email proxies to limit exposure to such attacks.
  • Keep systems patched.
  • Block VBA/Macro Code; preferably at the network level.
  • Ensure you have antivirus software installed on all systems, including all servers. Ensure that the definitions are current.
  • Do not have open shares set up. There should be no shared drives that allow “everyone” access. You should ensure that all folders allow only the people who need access to the folder have access.
  • Ensure that system admins log in as their normal (non-administrative) user and elevate privileges as necessary. Admins should avoid logging in as their administrative accounts to only those situations that REQUIRE this type of access.
  • Limit or block access to social media sites like Facebook; these sites are breeding grounds for such attacks.
  • Enable the system firewall; to properly protect the system.
  • Use application whitelisting; this methodology allows you to allow only approved applications. Allowing only approved applications ensures that users cannot run inappropriate programs.
  • Remove local administrative rights from end users.

If you need assistance, please let us know; we have decades of experience in these situations and have a fully established incident response team with the tools to assist. We also know how to limit the effectiveness of such attacks. We are here to help you!

https://www.cyberselfdefense.com/

https://www.linkedin.com/company/18025324

Online Child Safety

By Cyber Security No Comments

With many people working from home and many more children taking classes online, I had someone reach out to me about a KHQ news story I did a few years ago. I forgot about the story, but think it is very important to share it again.

Your kid’s (and your) homework tonight and tomorrow should/could be https://www.netsmartzkids.org/ or https://www.safeandsecureonline.org/

 # hashtagnews hashtagroundup hashtagcybersecurityawareness hashtagcybersecurity hashtagprotectyourfamily hashtaginformationsecurity

 

Ransomware Attacks Are Out to Get You!!

By Cyber Security, Defensive Tactics, Tutorials One Comment

Business owners, home computer users, executives, government officials, non-profit agencies, and employees who use computers; you will want to read and share this story; this article applies to you!

Response to Ransomware Attacks has become more mainstream, appearing in the news almost daily. A Ransomware Attack is when your data has been illegally accessed, encrypted, then the criminal demands payment for you to recover your data. This increase in Ransomware occurrences has uncovered a disturbing commonality; every organization, whether it be non-profit, for profit, government, etc…, has not proactively made any preparation for the attack. The most prevalent feedback? They never believed they would be attacked. They were too far off the radar to be in jeopardy. Sound familiar? These attacks, and the disbelief that follows happens in ALL vertical markets and all organization sizes, from small business to large enterprise, and everywhere in between; possibly even you!

With some simple planning, you can limit your attack surface. I just received a link to the following story; https://www.baltimoresun.com/news/maryland/politics/bs-md-20190508-story.html

The article starts off with;

“Baltimore Mayor Bernard C. “Jack” Young said all city employees were at work Wednesday as IT teams tried to recover from a ransomware attack, but that “everything that we’re doing, we just have to revert back to manual.”

Having a manual process is critical to your success and the City of Baltimore should be proud that they have such a process.

The article presents the idea that these attacks are unavoidable and are just going to happen;

“I don’t care what kind of systems you put in place, they always can find a way to infect your system,” said the Democratic mayor. “I know we’re going to do all we can to solve this issue and put up other protections.”

I don’t completely agree with this statement. There are many controls to put into place that will make it difficult for these attacks to be successful. I am confident that if you manage risk appropriately, you can make these attacks very difficult, if possible, at all. The truth is, we will never have perfect security, but if you manage risk appropriately, you will enable your business for success!

Cybersecurity EXPERTS know that our role is risk management. Our risk management techniques simply involve data and systems. The risks associated with ransomware are very manageable and should be managed to a level that limits your exposure to such attacks. The costs associated with this risk mitigation are minimal. The costs associated with becoming a victim are exponentially larger than the cost of the simplistic mitigation techniques. In addition, most organizations are completely or almost wholly stopped from performing their tasks, after ransomware hits. Understand, cyber-criminals are only successful because organizations make the choice, conscious or unconscious, to minimize the risk of being targeted.

Please, do not think that this is a one size fits all article, every company is different and has different risks, risk tolerance, processes, technologies, etc. My intent is to provide some of the most common risk mitigation techniques for these issues.

Most of you, if you are like me, are asking, “Where’s the secret sauce?” Well, here is the not-so-secret sauce;

  • It is important to block or limit access to publicly facing remote desktop protocol Services and other administrative access. If they are necessary, set access control lists or other filters to only allow access from you own systems and limit that to only administrators who have a need to access them.
  • Keep all systems and applications up to date. Look for vendor patches (updates) on vendor websites. Trusting 3rd party websites to download application updates could, and often does, lead to the installation of malware, capable of bring your business to its knees.
  • Strong Passwords MUST be used for any and all accounts. We recommend using a sentence for a passphrase (password). As an example; “CyberSelf_Defenseismygo2company4cybersecurity!”  NOTE: please do not use mine, choose your own.
  • Teach employees, families and friends to avoid clicking links or attachments in email; they can use VirusTotal.com to test links and attachments.
  • Have solid, tested backups of everything that is important to you. Your backups should be synced regularly to ensure up-to-date data if/when an event occurs.
  • Please ensure that these back-ups are kept isolated from production systems and that they use different login accounts.
  • Ensure they do not allow access (login) with your normal account.
  • Use web and email proxies to limit exposure to such attacks; web and email proxies are built into many of the antivirus solutions on the market. These are inexpensive and very manageable. A proxy simply tests the links and ensure that they are relatively safe.
  • Ensure you have antivirus software installed on all systems, including all servers. Ensure that the definitions are current; definition updates are released, at minimum, weekly and more regularly during a virus outbreak. We like BitDefender; let us know if we can help you get pricing.
  • Do not have open shares set up. These are corporate drives that allow everyone access. There should be no shared drives that allow “everyone” access. You should ensure that all folders allow only the people who need access to the folder have access.
  • Ensure that system admins log in as their normal (non-administrative) user and elevate privileges as necessary. Admins should avoid logging in as their administrative accounts to only those situations that REQUIRE this type of access.
  • Limit or block access to social media sites like Facebook, gambling sites, and anything that could be construed as pornography. These sites are breeding grounds for such attacks, as well as productivity vacuums. Most companies do not need their employees to have access to these types of sites.
  • Enable the system firewall to properly protect the system. I cannot believe how many companies shut their system firewalls off, as this is a line of defense that is effective add no additional cost for the protection it provides.
  • Use application whitelisting. This methodology gives you the ability to allow only approved applications. Allowing only approved applications ensures that users cannot run inappropriate programs. This methodology is even more important if your organization has outdated and unsupported systems, like Windows XP, on the network.
  • Remove local administrative rights from end users. Require them to get IT/Security approval for all software that is installed.

Listen, I know that not everyone will be able to do everything on this list. Again, we are risk managers and the more of these things you are able to accomplish, the lower your risk levels are. It is our belief, that if you do these things, you will place your risk at a lower level and will enable the business for success. Finally, when we talk about risk management, if you do not have a comprehensive risk assessment; one that you consult, every time you make a cyber purchase, you might as well be throwing your money into the trash! If your risk assessment is not comprehensive enough to help you in these situations, you should redo it. Your risk assessment should have told you that these attacks were coming and how you could have mitigated them.

NOTE everything I presented here, works on your home computers; home computers are frequently attacked! For more information refer to our recently posted article in the CDA Press at https://www.cdapress.com/local_news/20190519/hackers_make_enemies_of_local_cybersecurity_teams.


Cyber Self-Defense is an award winning holistic pure-play cyber-security solutions provider in North America and headquartered in Northern Idaho. The company’s diverse and talented employees are committed to helping businesses, governments and educational institutions plan, build and run successful security programs through the right combination of products, services and solutions related to security program strategy, enterprise risk and consulting, threat and vulnerability management, enterprise incident management, and training. Cyber Self-Defense represents over 50 years of combined experience within the cyber-security market, successfully helping the business community, regardless of company size, from Small Business to Large Enterprise. Here are some key differentiators;

  • We teach and mentor staff as we work. It is our hope that we can teach our customers how to defend themselves.
  • We build business through cyber-security versus hampering business with unrealistic security.
  • We use a risk-based approach to cyber-security that ensures an informed process for making purchases and decisions.
  • Our leadership lives by the mantra; “cyber-security does not need to be expensive, but it must be strategic.” This is important to Cyber Self-Defense, as we see companies spending money uselessly, purchasing tools that do not help to reduce risk.
  • It is our role to aid our customers in making decisions that effectively reduce risk and provide the best return on investment; versus hampering business with unrealistic security.
  • We have never and will never hire consultants. We hire professionals who have successfully built programs and “been in your shoes”. If you have ever dealt with a consultant, you know the real value of this point!

NIST 800-171 is being enforced!

By CISO-as-a-Service, CISO/Management, Cyber Security, Risk Management No Comments

In October 2017 I wrote how the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 required contractors to implement NIST Special Publication 800-171 by December 31, 2017 regarding data protections and safeguards around Controlled Unclassified Information (CUI).

Similar to the first implementation of the Healthcare HIPAA regulations, we did not see an immediate attempt to audit and enforce the requirements of the mandate.  I stated then that failure to follow the requirements would result in breach of contract with the government (Department of Defense).  After the publication of NIST 800-171, there were many questions around what constituted CUI. Furthermore, if you read the language in government contracts, you will see how ambiguous the definitions of data protection requirements really are.  We’ve discovered that most contracts do not always follow the requirements of the rule; see 252.204-7012 (a);

1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Many prime contractors have told us that they are waiting to see what enforcement steps would be implemented and/or until the regulations were fully ratified (The latest version, as of today’s date, can be found at; https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final and Revisions 2 will be published soon).  These “wait and see” companies felt their partial implementation of the regulation was “good enough.”  We have pushed existing and prospective customers on the fact that there are many risks beyond simply the contractual requirements to achieve compliance and that doing so early on could save them headaches, costs, fines, etc. in the long-term.  At Cyber Self-Defense, we’ve responded to many actual data breaches across many industries which were highly preventable, and we continue to encourage customers to become compliant as soon as possible.  We encourage our customers to get ahead of the curve and develop a risk-based cybersecurity program for the sake of enabling the business’ success; noting that compliance becomes easier and less expensive when done according to the needs of the business and implemented in a manner that is compliant with regulations and contractual requirements.

Well my friends, this discussion has just turned another corner!

In January of this year, the Under Secretary of Defense, Ellen M. Lord, sent a memorandum to a large number of organizations directing them to enforce the provisions of the contracts.  (Found here, https://www.acq.osd.mil/dpap/pdi/cyber/docs/USA000140-19%20TAB%20A%20USD(AS)%20Signed%20Memo.pdf

Lord asks these agencies to begin to audit ensuring compliance with the requirements.  Specifically;

To effectively implement the cybersecurity requirements addressed in DFARS Clause 252.204-7012 and NIST SP 800-171, I have asked the Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration, in order to:

  • Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
  • Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

To ensure that a similar approach may be taken at companies for which DCMA does not administer contracts (such as the Secretary of the Navy’s ship building contracts), we will work with representatives of those communities to implement a similar solution.

So, what does this all mean?  We believe this will be similar to what happened with the implementation and enforcement of the HIPAA regulations.  Companies will wait for enforcement to begin, and there will be a mad rush to become compliant.  In the meantime, these companies will be the targets of cybercriminals, they will be the new “low hanging fruit,” and ultimately suffer the negative impact of a breach compounded by the heavy fines or contract cancellations.  We encourage you, if you are not following a cyber security plan which truly enables the business, to prioritize building a comprehensive program.  EVERYONE is an unfortunate target of criminals!

Please don’t delay. The longer you wait the greater the risk of non-compliance becomes. Let us help you solve the mystery of cybersecurity by assessing your current state program and designing and implementing compliance and data protection. Contact us today!

Government Vendors Beware, Are You Really Ready for NIST 800-171?

By Cyber Security No Comments

 

If you are service provider/vendor with government customers, then you need to know about the Defense Federal Acquisition Regulation Supplement (DFARS) 48 CFR 252.204-7012 – Safeguarding covered defense information and cyber incident reporting which requires compliance with NIST 800-171.

You have less than three months to be compliant with NIST 800-171.  For companies who have not started yet; you are way behind the times and have barely enough time to get everything up to speed if you deal with Confidential Unclassified Information (CUI) or Covered Defense Information (CDI).

As Cyber Self-Defense has heard from companies that they do not know where to go or how to accomplish this very daunting task, we felt that we should provide some guidance.  If this guidance still seems daunting, please let us know and we would be happy to assist your company in meeting these requirements.

Whatever you do, we suggest that you do take action and ensure that you are compliant; If you are not compliant by December 31st, it seems that you will be in breach of your contract with the government.

Cornell Law School publishes the regulation at; https://www.law.cornell.edu/cfr/text/48/252.204-7012; here are some key aspects of the law (please read the whole thing, on their site, if any of this applies to you);

(b)Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the you following information security protections:

(1) For covered contractor information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply:

(i) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract.

(ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract.

(2) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this clause, the following security requirements apply:

(i) Except as provided in paragraph (b)(2)(ii) of this clause, the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at https://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer.

(ii)

(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at

os*********@ma**.mil











, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.

(B) The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place.

(C) If the DoD CIO has previously adjudicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract.

(D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.

(3) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

 

NIST has published a slide presentation that can be found here; https://interact.gsa.gov/sites/default/files/Wed%20AM1-SSCA-09-02-2015.pptx.pdf

NIST 800-171 can be found here;  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

 

 

Cybersecurity Leadership (CISO): A Modern Approach to Cybersecurity

By CISO-as-a-Service, CISO/Management, Cyber Crime, Cyber Security, Defensive Tactics, Risk Management No Comments

Businesses have a corporate responsibility to secure their own and the information they have been entrusted with. Many companies believe that this is expensive, not their responsibility, etc. They also assume (usually incorrectly) that the IT department is handling cybersecurity. Most companies lack the talent necessary to build a security  program that is cost-effective, enables the business for success, and has the necessary depth. When the Cyber Self-Defense team speaks with companies, they tell us they do not know where to begin. Our answer to this issue is always the same; start by hiring the right talent to make you successful. CISO-as-a-Service® might be your answer!

Talent

At Cyber Self Defense, we often hear that cybersecurity talent is becoming harder and harder to come by. With the increasing level and complexity of cyber attacks, companies are looking for cybersecurity teams to help them to build their programs, yet job requisitions remain unfilled.

Trends

This is what we know;

  • Cybersecurity professionals are demanding more money.
  • Companies are creating positions that are vague, all-encompassing, and that fail to help them to build a comprehensive cybersecurity program.
  • Companies are electing to hire junior professionals who are unqualified to lead the program; with no strategic or leadership experience.
  • Companies are compromising on experience, qualifications, and other critical knowledge factors, just to get someone in the role.
  • Companies are over-spending on technology because they do not have the strategic outlook and risk-based approach which is so critical to any cybersecurity program.
  • Audit Pleasing- many companies build their cybersecurity programs to please auditors; they fail to see the need for true security. They also fail to see that a properly built program can be done at about the same cost of program meant only to “check the box”.
  • Companies add technologies that are just sitting in the racks.; we have seen situations where systems are installed with less than 10% of the features configured and used. Please see my article on “Blinky Light Syndrome”.
Common fears of hiring a CISO-as-a-Service®

1. Is the CISO-as-a-Service® a group of professional consultants who have no real-world experience?

  • The one thing we hear from our customers, when wanting to hire a CISO-as-a-Service® is that they tend to get “professional consultants”. It is important to hire companies who hire individuals with real leadership level experience building cyber security programs, while an employee of the company.
  • Professional consultants are great, but unless they have the practical experience of managing a program for an organization, they will struggle finding the correct balance between security and operations. They will also struggle with the political aspects of building a program.
  •  Any leader can tell you that there is a huge gap between the professional consultant and someone with full-time experience.
  • You should interview YOUR CISO and determine if he/she has the requisite knowledge and skills to make you successful. We enjoy having people interview us, as they would an internal employee. We would be glad to provide you with a resume of your CISO to show their qualifications.

2. Is there a conflict of interest, when a company comes in as a CISO and then sells us their other products and other non-related services?

  • It can be a conflict of interest if your CISO-as-a-Service® professional is a part of a large firm that sells products and other services; occasionally, they tend to push you to purchase their products, meaning the CISO might have not have your best interest at heart. Instead of being fully vested to ensure a purpose fit program for the company, he/she might be forced to push product and services.

3. How can a part time company build a program faster and cheaper than our internal employee?

  • A CISO-as-a-Service® professional hits the ground running with the tools, tricks of the trade, and other pieces of information that can make a huge difference in the overall successful delivery.
  • We have discovered that being a third party, your professional opinions are more likely to be considered. Many times, an internal person must deal with too many internal politics.
  • With a professional company, you do get the collective knowledge of the team. This benefit is critical to your success.

4. I am the acting CISO or want that job; I am the CIO and do not want to look bad; or I have other fears that this company will displace me, my team, or others and or damage my reputation.

  • As a consultant with experience performing in this capacity, it is our job to make you successful, based on your definition of success. Your CISO should ensure that your company is highly successful in all aspects of the process.
  • It is also our responsibility, as it would be in a full-time CISO, to ensure that we mentor staff and prepare them to take over for us.
  • We should be a core part of the TEAM that is designed to enable the company to succeed.

5. Is a CISO-as-a-Service® just going to come in, drop templates on my desk and have me implement them?

  • No unless they don’t want to succeed! This person should be YOUR CISO and perform is the SAME capacity, just on a part time basis.
  • Any templates or other tools that are brought in should be used as a starting point, above ground level, to allow a faster (controlled) implementation; No template is a one size fits all, it must be molded to your company. It must have an implementation strategy. It must be your company’s established program that is implemented through a formal process that follows your company’s normal flows.
Conclusion

A responsible company knows that to run their company correctly, they must have the correct leadership! Most companies would never ask corporate attorney to lead the IT department. At the same time, most companies would never place a paralegal into the corporate counsel position.

We believe that the same is true for companies who make the Chief Information Officer (CIO) in direct charge of cybersecurity. Most Chief Information Officers (CIOs) will tell you that they are not comfortable managing cyber security and IT at the same time; these can be conflicting. We’ve also found that companies who place a Security Analyst into the position of strategically building a cybersecurity program will fail to recognize a comprehensive, risk-based, and cost-effective solution that truly enables the business to succeed. Hire the right person for the job and you will reap the rewards of your decision.

We look forward to your feedback on our website; www.cyberselfdefense.org

CISO-as-a-Service®

Cyber Self-Defense was built as a result of a growing demand in the marketplace seeking out knowledge, expertise, and leadership in cybersecurity and risk management.  Our clients wanted us to bring in our templates, processes, experiences, and our collective knowledge and put it to work for them.  They wanted people who had built programs from the organically — from the ground-up. They wanted people who were known for enabling the business through cybersecurity efforts, not people who shut the business down with high costs and inappropriate rules. This is how we grew into a full-time business which has positively and directly contributed to the success of our clients.

Cyber Self-Defense has years of experience in reducing your cybersecurity risk and we would love to work with you on all your cyber risk needs. We make cybersecurity attainable for all organizations, without inhibiting your ability to work and make a profit. Cyber Self-Defense can be reached at: (866) CYBER-96 or on our website: www.cyberselfdefense.org

Life Imitating Art

By Cyber Crime, Cyber Security, Defensive Tactics No Comments

Years ago I remember Hollywood producing attempts at riveting yet profitable on-screen dramas which involved plot-centric cyber security elements resulting only in disappointment as they bore no resemblance to actual reality. Today as InfoSec becomes more mainstream there are now big and small screen serials involving a hacker protagonist or a cyber victim heroine. What I like about modern-day renditions is the themes and dialogue are no longer technically fictional. We live in the age of information and war is fought on the cyber battleground. Nothing is more relevant than the context of a personally identifiable subject. Still the Hollywood dramas, as realistic as they are, still leave a lot to roll your eyes at (or to cover your eyes at). Read More

Blinky Light Syndrome

By CISO/Management, Cyber Crime, Cyber Security, Defensive Tactics, Risk Management, Tutorials No Comments

Far too often, I meet companies who are excited when I arrive. They pull me into their data center and show me their new KYZ 5000 and go on to explain that it has ended all of their cyber security concerns. I review the device and find out that it is plugged in and has a flashing light somewhere in the front and that is the end of the story. Other times, I go to a site and find that the company has just purchased an ABC 1000; plugged it in, turned it on, and perhaps even configured it.

In both cases, I tend to ask what problem(s) the piece of equipment is solving. Most of the time, I hear a story like; “Mike, you don’t understand, Joe down the street just bought one and it has solved all of his problems!”

Unfortunately, I find that these are simply impulse buys or worse, auditor pleasers. When we actually take a look, they are not working the way the purchasing company believes they are working. I frequently ask the company’s representative how this purchase has helped to lower the company’s risk. They usually give me a blank stare and asked what I mean. I usually ask to see the company’s risk assessment. The person then goes into panic mode and begins a hunt for the risk assessment. After finding the risk assessment (and knocking a year’s worth of dust buildup off), I ask how the purchase has reduced the risks listed in the assessment.

Risk Assessment

It is usually at this point that I must explain that the risk assessment is designed to help organizations manage their security spend, the effects of security on the end user, and the true need for security. After reviewing the risk assessment together, we usually agree that had the organization used the assessment as it was intended, the same spend would have reduced risk a great deal more than the purchase of the equipment; perhaps the piece of equipment reduced the risk by .5% and spending the money wisely would have reduced risk by 30%.

Cybersecurity experts MUST be risk managers. They MUST ensure that the security program is being managed to enable the success of the business. When we do not use our risk assessment to perform our duties, we run the risk of over spending, over protecting, or simply wasting time, money, and resources. It is also crucial for us to understand that our roles require that we understand all methods of treating risk. Many, in our community, believe that we must throw technology at everything and that it will solve all. Even the vendors (at least the honest ones) will tell you that their technology is one part of an overall strategy.

Many would agree that their technology must be fully implemented from a technology configuration, policy, procedure, and corporate strategy standpoint; having the equipment plugged in, whether configured or not, is only one piece. On that same note, the technology MUST work in harmony with all other security strategies. I have yet to find a tool that will solve all Information security problems; as cybersecurity experts we must layer our approach to cybersecurity. Our approach MUST include training, risk management, policy procedure, company buy-in, and technology. Note that technology is last; without the first pieces, you have (BLS) Blinky Light Syndrome.

Blinky Light Syndrome (BLS) describes a device that is plugged in, turned on, but not doing what the owner thinks it is doing or what the owner wants it to do. It can be used to describe either of the scenarios I covered at the beginning of this article.

Conclusion

In conclusion, a risk assessment is not just used once a year, to show auditors that you have it. It is a tool that takes on a living role in your success as a cybersecurity expert. It grows with you, as you add new processes, technologies, or the business changes; the risk assessment grows. As your company divests, the risk assessment should be consulted and adjusted to reflect the changes. When you purchase new security tools, your risk assessment should aid you in determining exactly how the solution will need to be set up and configured. At Cyber Self-Defense, we make it our business to help your organization to steer clear of Blinky Light Syndrome and equip you to truly be secure!

 

Your Board May Need a Cybersecurity Expert

By Cyber Security, Risk Management No Comments

The Cybersecurity Act of 2017 introduced in March sponsored by three bipartisan senators applies pressure to organizations by requiring disclosure of cybersecurity expertise serving on the board of directors. The legislature, if enacted, would enforce this disclosure first to public companies but sends a clear message that information security and cyber risk management is a much needed, but lacking, skill for global commerce. Read More