Security: A Game of Risk Management

Take the best, deepest breath you can. Now, stop breathing. Sure, you’ve mastered the art of breathing, but that doesn’t mean you should stop doing so. No matter how great your last breath, or your last meal was, you will still need another one in order to survive. That is how security is for businesses. No matter what security you have in place today, your job isn’t done. Security is an ongoing process of risk management.

Rogue Refrigerators and Critical Infrastructure

Several weeks ago, Proofpoint announced that their investigation of a major cyber-attack launched in late December 2013 uncovered the use of more than 100,000 malware-infected consumer devices as the source of malicious email. The devices included “home-networking routers, connected multi-media centers, televisions and at least one refrigerator”. As the Proofpoint announcement noted, this appears to…

Architecting an Anti-Fragile Smart Grid

In the ramp-up to the European Smart Grid project that I’ve mentioned in a number of earlier blogs, I often find myself paying particular attention to the security implications of energy-related events in the daily news. Because the massive power outages in the United States during the recent “Polar Vortex” occurred during my recent visit there (fortunately not affected by the outages!), I found myself thinking about the implications of those outages for Smart Grid, particularly in terms of resiliency, robustness and anti-fragility.

Applying Systems Thinking To Security and Safety

One of the invited papers at the ACSAC conference in New Orleans last week was by Dr. Nancy Leveson on “Applying Systems Thinking to Security and Safety”. I had arrived in New Orleans very late the night before and wasn’t sure I’d be up for an 8:30 presentation. But I’ve been interested in systems theory…

Hastily Defined Netwoks and Planning for Disaster

I gave the closing presentation recently at the Judgement Day 8 cybersecurity conference in Bratislava, Slovakia. It was an interesting forum, with presentations earlier in the day by folks from F-Secure, Checkpoint, IBM, McAfee, HP and Cisco. Of these, the presentation by Michal Remper (Cisco) was particularly interesting, a discussion of the “Hastily Defined Networks” that Cisco has provided in a number of crisis situations, including in the aftermath of Hurricane Katrina. At the end of his presentation, Michal summarized a few lessons from the Cisco experiences in cases such as this. Although he didn’t put it quite this way, one of the key lessons was that however hastily the emergency network has to be provided, it is vitally important to have it well thought through and well-defined before the emergency occurs. In fact, the lesson I came away with was that what’s needed is Not-so-hastily defined networks. But is that really possible? Are there disasters that we simply can’t plan for and that will always require the flexibility to create hastily-defined responses?

The Danger of Denial

I was very surprised recently, in a conversation I had with someone I used to work with, to hear him remark that he didn’t think there is any such thing as stealthy, targeted attacks. His comment was something like “those warnings about APTs, targeted attacks, whatever you want to call them, is just a distraction…

atm-heist

Dissecting a Cybercriminal Heist – Podcast #248

In May 2013, the U.S. Dept. of Justice indicted several members of a cyber criminal gang  allegedly responsible for the largest coordinated cash heist from thousands of ATMs across 26 countries. The scheme netted more than $45 million in less than a week and has the banking industry reeling at the manner in which this…

Introducing The SBIC Blog — Strategic Guidance from Global Security Executives

Imagine if you had regular access to a group of top-notch advisors – security leaders from some of the world’s largest brand-name companies – to help you build your security strategies? Companies like Coca-Cola, Fed-Ex, Intel, Johnson & Johnson, JPMorgan Chase, SAP and Walmart. For the last five years, the Security for Business Innovation Council (SBIC) has been publishing reports which deliver actionable recommendations from some of the world’s most accomplished security leaders. Given the immense challenges in information security today, we know that practitioners are hungry for more guidance based on real-world experiences and lessons learned. This new SBIC blog provides increased access to Council members’ valuable insights.

Groove Theory of GRC – Postulate #1: Musicality or Performance?

Welcome to my second in a series of blogs based on what I term “The Groove Theory of GRC.” As you may or may not know (or infer from this series), I have been a musician for much of my life. Starting in grade school playing in the school band, I have enjoyed the gift of making music over many years. While I am no longer a “gigging” musician, I still pick up my craft and noodle at home often. One aspect of making music that I have enjoyed is the debate between musicality and performance. Is a great musician guaranteed to be a great performer? Are all great musical performers talented musicians?

Cybersecurity@EMCworld 2013: Transforming Trust

The application of Big Data analytics to security has resulted in a transformation not only in detecting and responding to threats. It also transforms how we establish and evaluate trust, based on understanding risk rather than expecting absolute security. This transformation doesn’t just affect security professionals. Understanding trust is critical for many of the topics that are explored at EMCworld, including cloud, virtualization, storage and document management. Understanding trust can help in enabling new business opportunities, finding more effective operational processes and working more effectively with partners.