Tag: CISO
Cybercrime in general—and most recently, crime perpetrated using IoT devices—has become a serious problem. Legislatures around the world have struggled to write laws to rein things in. The problem has been that governments have issued cybersecurity laws that are either too burdensome or ineffective. We’ve seen various breach disclosure acts designed to “name and shame”…
Read MoreFigure 1: Bug types across valid submissions shows a decline in low value bug types such as clickjacking, and steady submissions in XSS and mobile bugs. XSS, SQLi, and CSRF are among the OWASP “Top Ten”, with reams of documentation, tutorials, code samples, and tools capable of discovering these bugs before applications are introduced to the wild. One…
Read MoreThe recently released F5 and Ponemon report, “The Evolving Role of CISOs and their Importance to the Business,” unearthed some disconcerting results about CISO effectiveness. In particular, the following survey question spoke to this point specifically: Are security operations aligned with business objectives? Fully – 26% Partially – 34% Not – 40% Surprisingly, only a quarter of…
Read MoreDepending on third parties is inescapable. Every organization needs software, hardware, Internet connectivity, power, and buildings. It’s unlikely they’re going to do all those things themselves. That means that organizations must be dependent on others outside themselves. With that dependence comes risk. F5 recently partnered with Ponemon Institute to survey CISOs. In the report, The Evolving…
Read MoreIn part I of this series, I explored some of the issues surrounding the fact that we have managed to build networks so large and complex that it is essentially impossible to grasp any significant fraction of network activities without asking for help from… the network itself. In this installment, I delve into some actual techniques…
Read MoreDestruction, loss of data, intellectual property theft, fraud, embezzlement, disruption to business, restoration—globally, the costs of dealing with hacking, which were estimated at $3 trillion in 2015, are projected to double to $6 trillion annually by 2021.1 Yet under US law, it’s illegal to attack the hackers back. Way back in February, a Georgia Republican…
Read MoreExecutives are slowly but surely recognizing the ramifications of providing the wrong answer when asked the questions: “Prior to the breach, did we train our employees in the acceptable use of company assets? Did we train them about what they could and could not do?” Do you work for a company that requires employees to sign…
Read MoreInformation Security Controls are the bread and butter of audit professionals, the bane of developers, and the playground of security professionals. From a business perspective, they provide a means for enabling business resiliency by protecting and reducing the risk associated with the threat landscape. Insofar as the concept of defense in depth is embraced, it’s…
Read MoreBack in September, I had the honor of moderating a panel session in Hong Kong under the theme of “Is Cybersecurity the Hidden Achilles of Hong Kong’s Digital Economy?”. At that time, China, the world’s leading bitcoin exchange market accounting for 90% of trading worldwide, yet had announced shutting down bitcoin and cryptocurrency exchanges, calling…
Read MoreOn January 9th, 2005, the Donttrip malware infection hit Northwest Hospital,1 a large medical facility in Seattle that served thousands of people. The malware clogged up the hospital’s network systems with surges of exploit network scanning. Medical operations ground to a halt as laboratory diagnostic systems couldn’t transfer data, Intensive Care Unit terminals went offline,…
Read More