Archive for the ‘Resilience’ Category

A change to the cyber risk landscape

On June 27th 2017 a cyber-attack called ‘NotPetya’ was launched against a large number of firms. The attack was notable for three reasons;

  • it used a third-party software update mechanism to spread,
  • it was a geopolitically motivated destructive attack that caused extensive damage to uninvolved bystanders
  • it used automated techniques that previously were only associated with sophisticated manual attackers that reduced the time the attack took to spread across networks from days to minutes.

This has crystallised a potential cyber risk that has been a concern for some time such that untargeted and destructive attacks would become as sophisticated as manual attacks by highly capable threat actors.
(more…)

Do CISOs have a higher calling?

I believe the security profession is coming close to an inflection point. The growing dependence on technology in our increasingly digital societies, the systemic and personal harm that data breaches can cause and the real world consequences of failures in an IoT-driven physical environment mean that security failures are no longer just an interesting news item or a regulatory concern. They matter.

WannaCry and it’s impact on the NHS is a strong example of how lives can be harmed and disrupted as an unintended outcome of digital criminality.
(more…)

Not so basic but definitely essential.

We keep talking about new shiny, and increasingly fragile, controls that will prevent attacks or fiendishly clever algorithms or AI to which we can outsource all that hard or fast thinking we’re not good at but we are all still staring down the barrels of a loaded data breach gun waiting for it to go off. The thing is we seem to be holding that gun to our own heads and it’s not like we don’t realise. All the talk of ‘basics’, ‘essentials, ‘foundations’ points at a relatively common set of issues usually focused on some combination of the following:

  • IT Maintenance (patching, replacing end-of-life platforms, inventories, baseline builds etc),
  • Network security (internal segmentation),
  • Access Management (efficient joiners, movers, leavers processes, privileged user management)
  • Security Monitoring (effective visibility),
  • Incident Response (tested plans, exercised staff)

(more…)

Cyber Resilience: Part Six Recommended Reading

 

Here are the sources used when developing the thinking behind this blog series:

(more…)

Cyber Resilience: Part Five What next?

Cyber resistance clearly requires leadership and operational intervention from specialised cyber professionals.  However, Cyber Resilience requires a broader institutional response that encompasses all aspects of the business.  As such, it needs to be owned by the entire executive management of an organisation.

The Department encourages all institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology.” Benjamin Lawsky, Superintendent of Financial Services, New York State Department of Financial Services, December 2014

(more…)

Twitter RSS