#CyberFLASH: Data-driven defence will best protect enterprises, says expert


Tunnel vision is a phrase that describes looking too narrowly at a problem. To use a cliché, you don’t see the forest for the trees.

Infosec pros suffer from it as well, Roger Grimes, principal security architect in Microsoft’s information security and risk management practice, said at this month’s SecTor cyber security conference in Toronto.

Often all they see is a myriad of threats in front of them every day instead of concentrating on the ones that are most likely to pierce defences.

In short, he argues that what CISOs need to do is create a data-driven defence.

After the conference we caught up with Grimes and asked him to expand.

“I get hired to do penetration testing and in the last 20 years I’ve broken in in an hour or less, except for one company that took me three hours.” he said – and he considers himself an average attacker .”In attacking I’m not that great, but I can break into anything. The reason why is they just don’t do the simple things they should do – the stuff they’ve been told to do for 30 years: Patch, and don’t get tricked into running things they shouldn’t.”

“Most companies for one reason or another really aren’t trying to defend against the right things. The vast majority of corporations could significantly decrease the chance of attacks against their companies by better patching just a few programs and (with the savings) giving their employees better anti social engineering training. Yet companies spend millions of dollars on things that are absolutely not going to work because they don’t fix the two biggest elephants in the room:” Awareness training and patching most commonly exploited programs.

Read more here

#CyberFLASH: How to craft a threat intelligence strategy

a-woman-uses-her-computer-keyboard-to-type-while-surfing-the-internet-in-north-vAn increasing number of CISOs are realizing the value of threat intelligence to protecting the enterprise, helping the infosec team doing the day-to-day defending. But if you don’t already have a unit/person assigned for doing this it may be daunting to start.

Adam Meyer, chief security strategist at SurfWatch Labs has written a useful two-part series for chief security officers who haven’t yet taken the plunge. In the first part he notes that leaders have to decide what is the goal of the data collection, what and how it should be collected, what finished, refined intelligence product should be produced, how and who it it should be delivered to and how should it be consumed.

The CISO also has to decide whether what is wanted is all or a combination of tactical, operational or strategic threat intelligence.
The second part talks about the two parts of a threat intelligence strategy: A collection plan and a management plan.

The collection plan is obvious: It has to define priorities and needs, sources of intel and what decision-makers need. Why a management plan? Because, writes Meyer, intelligence is not a project but a capability that needs to be run like a program. So the management plan looks at who will be the intelligence analyst(s), tools to be used, how managers make requests to analysts. and if the deliverables are useful.

If you are thinking about adding threat intelligence to your weapons these two columns are a good place to start.

Read more here

#CyberFLASH: Private sector should lead Canada’s cyber security strategy, say experts

Local Input~ FOR NATIONAL POST USE ONLY - NO POSTMEDIA - Hacker using laptop. Lots of digits on the computer screen. Credit fotolia.In the global war against crime Canada is one of a number of countries with a national cyber strategy, aimed at strengthening important departments and working with the private sector to shore up critical infrastructure.

But two security experts told a conference Thursday that businesses, not Ottawa, should be leading the charge.

But they also laid the blame for the country’s poor cyber security at the executive floor.

“We (infosec pros) feel it’s difficult to convince upper management something should be done,” Jason Murray, senior manager for cyber security at consulting firm MNP LLP, told the SC Congress conference in Toronto on Canada’s cyber strategy. “They’re not listening to us. They get it, they just don’t need to do anything about it.

“They’re accumulating technical debt. Every year they don’t spend enough on information security they’re adding to the debt and hoping that when the debt comes due they’re not around to take the fall … The market should punish these people, just like they were accumulating financial debt… and they would go out of business.”

However, he admitted, few companies – even those suffering huge breaches like Home Depot – lose customers over the long term.

But he also complained organizations “are not doing the basic hygene stuff… I go in there (to customers) and assess against the PCI (Payment Card Industry security) framework or the critical controls framework … and they’re scoring 40 per cent at best.”

Read more here

#CyberFLASH: Cyber security isn’t only about technology

shutterstock_155341358-e1424466092891Most experts maintain security involves a combination of people, processes and technology. However, too often infosec leaders focus on technology because it’s the most tangible thing — plug this hole with this solution and things are better.

A report released this morning by Intel Security argues that encouraging security and IT teams to work together will improve preparedness and overcome the cybersecurity skills shortage.

A survey of 565 security decision makers around the world including some Canadians found organizations believe they could become 38 per cent to 100 per cent more effective if their threat management and incident response personnel would collaborate better. That may seem obvious but in the rush to face an intrusion teamwork sometimes gets ignored.

“This collaboration could take the form of workflows and data sharing among people— formerly siloed IT and security teams—as well as integration and automation of controls, policies, and processes to improve operational efficiency,” says the report.

Coincidentally, former White House CIO Theresa Payton penned a column this morning that also argues throwing more hardware and software at the problem wasn’t the first solution. “Our security protocols were meaningless if we made them too difficult for people to do their jobs,” she writes.

Payton says there are three smart steps an organization can implement now to reduce the threat of a breach: Have the CISO establish a kill switch that stops a breach in its tracks but enables the organization keep working without compromising security or privacy; have the CISO segment the top two critical digital assets to protect them; and have the CEO commit to putting security and innovation on an equal footing.

You might also want to think about this blog by Tripwire president Gus Malezis on the so-called five monkeys on the CISOs back including the likelihood of an intrusion, the skills gap, and the soaring number of endpoints thanks to mobility and the Internet of Things. His prescription: Manage and mitigate risks through risk assessment, adopting a standards-based security framework such as NIST, Gartner’s PPDR, CIAS or ISO 27001, and continuous monitoring and calibration of security and compliance programs.

Read more here


© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.