Posts by Frederick Scholl
Don’t fall victim to BEC
Business Email Compromise (BEC) continues to be one of the most successful information security attack vectors. Criminals steal email addresses and passwords of C-level executives and then use this information to initiate fraudulent financial transfers from the executive’s employer to the criminal’s bank account. In this process the executive’s home network is also vulnerable. It…
Read MoreEnterprise Risk Management and Information Security
Enterprise Risk Management (ERM) has been around at least since the days of the Trojan Horse. Information security risk management can learn much from ERM and avoid reinventing the wheel. The National Association of Corporate Directors (NACD) made this clear in the 2014 handbook Cyber-Risk Oversight. Principle #1 is to approach cybersecurity as an enterprise-wide risk…
Read MoreEvidence Based Risk Assessment: Lessons Learned from the Y-12 Breach
My approach to risk assessment always includes analysis of actual breaches in an industry similar to the client industry. This is the evidence-based component of risk analysis. On July 28, 2012, three protesters broke into the Y-12 Highly Enriched Uranium Manufacturing Facility (HEUMF) in Oak Ridge, Tennessee. While you may not run a nuclear complex,…
Read MoreFirst Conviction for Illegally Distributing Android Apps
Reuters reports today the guilty plea and plea agreement of Kody Peterson, charged with illegally distributing Android apps. The conviction was the first copyright theft case involving Android apps. The case was tried in US District Court for the Northern District of Georgia. The original charges are here. According to the US Attorney, the defendant obtained or created…
Read MoreLocking Up the Ivory Tower
Universities are traditionally open, without all of the information security controls that are implemented in the corporate environment. Not surprising, given that the term university means community. It is hard to build community with overly restrictive security controls. Now, however, the New York Times reports that universities are under increasing attack from cybersecurity threats—“Universities Face…
Read MoreCloud Vulnerabilities
On May 31, the Cloud Security Alliance released a white paper entitled “Cloud Computing Vulnerability Incidents: A Statistical Overview”. This paper analyzes published cloud vulnerabilities reported in the news media from 2008 to 2011. A total of 172 unique cloud incidents were analyzed to determine root cause and attribution. The overall mission of the analysis was to…
Read MoreMore Security Lessons Learned from the Y-12 Breach
Our local newspaper, The Tennessean, recently ran a story on the Y-12 nuclear facility break-in last year. The defendants are now scheduled for a May trial in the Eastern District Court of Tennessee. This prompted me to review the Inspector General’s Y-12 security breach report for lessons learned. This report is one of the few published analyses of security…
Read MoreSecurity or Compliance?
There is a debate among security professionals as to whether a strong compliance or strong security program best protects the enterprise. Arguments along the lines of compliance is “just satisfying a checklist” and “security is not compliance” are offered. Obviously compliance requirements must be satisfied and often compliance programs help justify “security” programs and budgets. …
Read MoreHome Disaster Recovery Planning
Many businesses today assume that their workers will report to home in the event of a disaster at the corporate offices. In fact, workers are already telecommuting or working full-time in home offices. The widespread implementation of broadband connectivity has made this possible. In many cases, corporate disaster recovery planning has not taken into account…
Read MoreCloud Computing: Trust but Verify
The rush to cloud computing has brought about amazing new services, but, without adequate vendor monitoring, businesses may be building digital supply chain risks that will show up later when cost and market pressures are felt by cloud vendors. We can learn from business processing outsourcing experiences. The New York Times reports today a $280K+ OSHA fine…
Read More