Enterprise Cyber Risk Management
Cloud Vulnerabilities
On May 31, the Cloud Security Alliance released a white paper entitled “Cloud Computing Vulnerability Incidents: A Statistical Overview”. This paper analyzes published cloud vulnerabilities reported in the news media from 2008 to 2011. A total of 172 unique cloud incidents were analyzed to determine root cause and attribution. The overall mission of the analysis was to…
Read MoreMore Security Lessons Learned from the Y-12 Breach
Our local newspaper, The Tennessean, recently ran a story on the Y-12 nuclear facility break-in last year. The defendants are now scheduled for a May trial in the Eastern District Court of Tennessee. This prompted me to review the Inspector General’s Y-12 security breach report for lessons learned. This report is one of the few published analyses of security…
Read MoreSecurity or Compliance?
There is a debate among security professionals as to whether a strong compliance or strong security program best protects the enterprise. Arguments along the lines of compliance is “just satisfying a checklist” and “security is not compliance” are offered. Obviously compliance requirements must be satisfied and often compliance programs help justify “security” programs and budgets. …
Read MoreHome Disaster Recovery Planning
Many businesses today assume that their workers will report to home in the event of a disaster at the corporate offices. In fact, workers are already telecommuting or working full-time in home offices. The widespread implementation of broadband connectivity has made this possible. In many cases, corporate disaster recovery planning has not taken into account…
Read MoreCloud Computing: Trust but Verify
The rush to cloud computing has brought about amazing new services, but, without adequate vendor monitoring, businesses may be building digital supply chain risks that will show up later when cost and market pressures are felt by cloud vendors. We can learn from business processing outsourcing experiences. The New York Times reports today a $280K+ OSHA fine…
Read MoreBackground Checks May Not Be Enough
The NY Times reported on 2/15/2012 the amazing story of Edward Maher, the suspect in a $1.5M 1993 armored car heist in the UK. Recently apprehended, for almost 20 years he had been on the run in the US. He had a number of regular jobs including, including eight years at Nielsen, the television ratings…
Read MorePERFECT SECURITY STORM FOR LAW FIRMS?
Marc Russinovich’s recent book Zero Day: A Novel tells an action-packed tale of international hackers; the action passes through a NYC law firm and brings the entire firm down. Great story, but it seemed a little farfetched when I read it. In the book, the entire fictional law firm grinds to a halt as a result of…
Read MoreHow Not To Be a Cyber Janitor
A recent blog post by Jeff Bardin (“The Proliferation of Cyber Janitors”) really resonated with me. He points out how much of the security industry is focused on incident response and breach notification. This started with CA 1386 in 2003 and more recently has become a requirement for breaches of health information (HIPAA/HITECH). While I don’t have…
Read MoreSECURITY MEMO: IT CAN’T HAPPEN HERE, CAN IT?
I have always been a big believer in background checks for new employees. While many companies do this prior to hiring someone, some still do not and pretty much everyone relies on outsource firms to do the background check. Yesterday, January 30, 2012, the NY Times reported the case of a church worker within the Archdiocese of…
Read MoreDon’t Forget Cloud Availability
Most assessments of cloud security risks highlight data integrity and confidentiality issues. But the business bottom line is service availability. With many of today’s cloud services being offered without warranty, users need to be cautioned before relying on that service. It is too easy to ignore the digital supply line that is behind the convenient…
Read More