[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* A Guide To Three Types Of DIY DDoS Protection
* Schneider Electric : Publishes New White Paper on Cyber Security Issues Affecting Data Centre Remote Monitoring
* Building a Business Case for Security that the CFO Can Understand
* 14 business impacts of a cyber attack
* Cyber-crime cost calculation studies are rubbish: ENISA
* Australia sets up specialist cyber unit to trace terrorism payments
* FBI Agent to CHIME/AEHIS LEAD Forum: Healthcare Leaders Still Not Up to Speed on Basic IT Security Tasks
* Go for Gold by Transforming Compliance Into Data Security
* Using ISO 27001 to improve your information security posture
* Breathing new life into SSL VPNs: Making the most of the security benefits
* Advice for the modern CISO
A Guide To Three Types Of DIY DDoS Protection
The first of the two effective DDoS protection types is on-premise, which is an approach that puts hardware appliances inside of a network, positioning them in front of protected servers.
The DDoS protection is literally on the premises of the organisation using it.
Due to the prohibitive cost, this is generally an approach that only major enterprises or organisations bound to industry standards requiring on-premise protection would prefer, but there are definite pros to this method.
The second main option when it comes to effective DDoS protection is off-premise, either cloud-based or ISP-based.
ISP-based solutions generally provide only network layer protection, while cloud-based protection protects against both network layer and application layer attacks.
Off-premise protection can be deployed as an always-on or on-demand service.
Just as with the on-premise DDoS protection, there are pros and cons to the off-premise approach as well.
Off-premise DDoS protection is also a managed service, so none of an organisation’s employees are tasked with overseeing the solution and those who are in charge of the solution are DDoS attack experts who have dedicated their careers to detecting and protecting against DDoS attacks and have access to always-updated threat intelligence.
Off-premise DDoS protection solves the scalability problem by being deployed outside of the network, eliminating the issue of network bandwidth limitations.
This is not the approach for control freak organisations.
If your organisation needs to be in control of every aspect of security, off-premise just won’t work.
Likewise, off-premise DDoS protection used on its own isn’t acceptable for organisations required to have on-premise protection by industry-specific standards, unless it is used in hybrid DDoS protection that combines on-premise hardware with cloud-based network layer defense.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a58595717f&e=20056c7556
Schneider Electric : Publishes New White Paper on Cyber Security Issues Affecting Data Centre Remote Monitoring
Choosing defensive systems and implementing work procedures for optimal security is a mission-critical discipline.
A new White Paper, #239 from Schneider Electric, a global specialist in energy management and automation, entitled “Addressing Cyber Security Concerns of Data Center Remote Monitoring Platforms” provides a basic overview of a Secure Development Lifecycle (SDL) process, describing how a product should be designed and developed with security in mind at every stage.
The White Paper elaborates in detail the finer considerations of eight principal practices, taking into account personnel issues, security testing of the monitoring platform, networking security and the physical security of the products contained in the installation being monitored.
The SDL process, described in the White Paper, is based around eight key practices.
A continuous training programme should equip employees to develop and deploy solutions that are increasingly secure.
Cyber security features and customer security requirements should be clearly described at the product development stage.
At the design stage, security architecture documents, following accepted design practices, should be produced with regard to customer specifications and threat models created to identify, quantify and address potential security risks.
The development stage sees implementation of the security architecture design into the product guided by documentation for best practices and coding standards.
Next, a verification stage sees security testing performed on the product implementation from the perspective of the threat model to ensure that the system is robust.
At release stage, security documentation that defines how to install, commission, maintain, manage and decommission the product should be developed.
For the deployment stage, the project development team should co-operate with service technicians to ensure successful installation and optimisation of security features.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2fda3ad3a1&e=20056c7556
Building a Business Case for Security that the CFO Can Understand
According to a March 2016 PwC report, ‘A False Sense of Security?’, that surveyed 300 Middle Eastern organizations, the region has become one of the prime targets for cyber-attacks.
In fact, according to the findings in the report, in 2015, 56% of businesses in the region lost more than US$500,000 as a result of cyber incidents compared to 33% globally.
Faced with this reality, organizations across the region have upped their IT security spend.
However, one of the biggest challenges when you go shopping for new security tools is answering the inevitable question from finance: “What’s the value?”
In security, the biggest benefit will always be reduced risk; “buy this tool (or hire this person) and bad things are less likely to happen.” Unfortunately, this argument is highly theoretical, which doesn’t translate easily into a business case.
It’s also likely that the same argument has been used for previous security procurements and consequently leads to a debate around the likelihood of data being stolen – a risky game to play.
Instead of trying to estimate the level of risk a company has in terms of security and how likely an attack may be, it’s arguably much more important to analyze the time and/or people a new tool might save and how much more efficient it could make an organization
For any organization it is almost impossible to put a prediction on how much a cyber breach could cost as it isn’t only a case of compensating victims and the loss of business revenue, but also damaged reputation.
No one is expecting a CFO or the Board to write a blank check for security, which is why explaining the savings an enterprise can make in terms of a more efficient security team, lower hardware costs, and minimized risk, is paramount to understanding its value.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=57acdd45b0&e=20056c7556
14 business impacts of a cyber attack
The “Beneath the surface of a cyberattack” report was created by Deloitte’s Cyber Risk practice in tandem with the organisation’s leading forensic and investigations, and business valuation services.
14 business impacts of a cyber incident:
Above the surface: well-known cyber incident costs
1) Customer breach notifications
2) Post-breach customer protection
3) Regulatory compliance (fines)
4) Public relations/crisis communications
5) Attorney fees and litigation
6) Cybersecurity improvements
7) Technical investigations
Below the surface: hidden or less visible costs
8) Insurance premium increases
9) Increased cost to raise debt
10) Operational disruption or destruction
11) Lost value of customer relationships
12) Value of lost contract revenue
13) Devaluation of trade name
14) Loss of intellectual property (IP)
• The direct costs commonly associated with data breaches are far less significant than the “hidden” costs.
In Deloitte’s scenarios, these account for less than five percent of the total business impact.
• The time horizon over which impact is felt is far more protracted than is often anticipated.
In Deloitte’s scenarios, costs incurred during the initial triage stage of incident response account for less than 10 percent of the rippling impacts extending over a five-year period.
• Over 90 per cent of cyberattack impact is likely to accrue in categories that are intangible.
Given that these are less studied and more difficult to quantify, organizations can be caught especially unprepared for these “costs” in areas such as operational disruption, impact to trade name and loss of intellectual property.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b20500c8ac&e=20056c7556
Cyber-crime cost calculation studies are rubbish: ENISA
ENISA, the European Union Agency For Network And Information Security, has taken a look at “cost of cyber attack” studies and reckons they’re not much good.
The agency is far too polite to put it that way, but in this report, it says there’s no consistent approach to trying to quantify the cost of attacks on what it calls critical information infrastructures (CIIs).
The study, The cost of incidents affecting CIIs, is a review eleven expert reports, two internal studies (provided by security vendors to customers), two public studies, and two reports by ENISA partners.
The source studies were dated between 2013 and 2015.
The agency says there’s plenty of information about, but the studies it analysed “examines the topic from a different perspective, focusing on certain industries, using different metrics, counting only certain types of incidents etc.
The lack of a common approach and criteria for performing such an analysis has allowed the development of rarely comparable standalone studies, often relevant only in a certain context.”
While it won’t surprise anyone that the financial, ICT and energy sectors have the highest per-incident costs, denial-of-service and insider attacks are the most common incident types in finance and ICT.
The big problem comes when people try to quantify what an attack actually costs.
The studies ENISA reviewed put costs anywhere from €425,000 to €20 million per company per year in Germany(from the Ponemon Institute); although it may be between €2.3 million and €15 million per company per year (also from the Ponemon Institute).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=438efb1496&e=20056c7556
Australia sets up specialist cyber unit to trace terrorism payments
SYDNEY (Reuters) – Australia has set up a cyber-intelligence unit to identify terrorism financing, money laundering and financial fraud online, the government said on Tuesday, because of “unprecedented” threats to national security.
Justice Minister Michael Keenan said the new unit, set up under money-tracking agency the Australian Transaction Reports and Analysis Centre (AUSTRAC), would investigate online payment platforms and financial cybercrime to crack down on money-laundering and criminal networks.
The statement said the new AUSTRAC unit would work with the Australian and New Zealand government-funded identity support service, ID Care, to target job recruitment scams that crime syndicates used to recruit innocent people to traffic money between jurisdictions.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=51c1fb5349&e=20056c7556
FBI Agent to CHIME/AEHIS LEAD Forum: Healthcare Leaders Still Not Up to Speed on Basic IT Security Tasks
A Nashville-based FBI agent offered a strong dose of reality to healthcare IT professionals attending the CHIME/AEHIS LEAD Forum Event, being held Monday, August 10 at the Sheraton Downtown Nashville, in Nashville, Tennessee, and co-sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), and its subsidiary association, the Association for Executives in Health Information Security (AEHIS), and by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC umbrella).
Scott Augenbaum, Supervisory Special Agent in the Memphis Division of the Federal Bureau of Investigation, offered a bracing opening keynote address during Monday’s event, tagged “The Health Information Executive’s Guide to Cybersecurity.”
Among other things, Augenbaum, who has spent two decades at the agency, told attendees that the leaders of patient care organizations are simply not moving quickly and strategically enough yet, to meet the huge challenges facing them in the fast-moving landscape of healthcare IT security.
Augenbaum said, “We’ve found that 90 percent of data breaches could be prevented if the leaders of patient care organizations simply began by focusing on the “CIS Critical Security Controls for Effective Cyber Defense,” as articulated by the SANS Institute.
“If an organization does those top five tasks to protect its data security, it can reduce its risk of exposure by 90 percent,” Augenbaum stressed. “Things like only allowing approved software and applications onto the network, making sure to do a good patch management job (and the less software, the fewer vulnerabilities), limiting admin rights on machines—all of those kinds of things can drastically reduce your exposure.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=df51dca5f5&e=20056c7556
Go for Gold by Transforming Compliance Into Data Security
Many organizations recognize there’s something going on, but they are unaware that they need to be in it to win it.
Instead, they spend their time just doing enough: They make sure to check the compliance box and pass their audit, whether for PCI DSS, HIPPA, SOX or the EU’s GDPR, which goes into effect in June 2018.
While being in compliance is absolutely important and represents a great first step along the road to data security, it is merely sufficient.
It helps avoid fines, scrutiny and other unpleasant things, but it does not position organizations to compete.
The right place to begin is indeed with compliance.
By starting with compliance, you become acquainted with the basics and can start learning the vocabulary of the data security athlete.
Compliance helps you pass your audits, but it can also get you to start thinking about:
– Discovery
– Monitoring
– Hardening
Key capabilities to look for include: data protection (masking, redaction, encryption, blocking, alerting, etc.) for data at rest and in motion; entitlement reporting; risk and threat detection, including real- and right-time analytics, cognitive analytics and specialized threat detection analytics; and broad platform support so that when you are ready, you can safeguard your sensitive data, wherever it resides.
Expanding from compliance to data security should not be difficult, and you should not be confronted with technical sticking points.
With the right training program in place and key considerations in mind, you can score a neat compliance victory and then expand your program, build on your efforts and continue your journey to the data security triathlon.
There you will surely have your shot at gold.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1145fbe60a&e=20056c7556
Using ISO 27001 to improve your information security posture
ISO 27001 delivers direct benefits that improve an organisation’s information security posture, despite the ongoing struggle to convince boards of the importance of information security, and to secure the necessary budget and resources to implement ISO 27001, according to a new report from IT Governance.
Nearly 70% of the respondents said that improved information security is the main driver for implementing the standard, alongside competitive advantage (56%), legal and regulatory compliance (56%), and new business requirements (35%).
More than half of the respondents reported to struggle convincing the board of the importance of information security, or securing the necessary budget and resources to implement ISO 27001.
41% of the respondents faced challenges such as obtaining employee buy-in and raising staff awareness when implementing ISO 27001.
The research suggests that ensuring the right level of competence and expertise (39%), understanding the requirements of the standard (31%), and creating and managing the ISMS documentation (31%) are the top concerns teams face when implementing ISO 27001.
The duration of an ISO 27001 certification project depends on the size of the organisation, the scope of the project and the resources available.
The report suggests 6-12 months as the median length, according to 51% of the respondents to the survey, followed by 3-6 months (20%) and more than 12 months (20%).
The findings also suggest that larger organisations with complex scopes tend to take longer to achieve certification, compared to small companies with fewer staff and that rely on external help.
The duration of an ISO 27001 certification project depends on the size of the organisation, the scope of the project and the resources available.
The report suggests 6-12 months as the median length, according to 51% of the respondents to the survey, followed by 3-6 months (20%) and more than 12 months (20%).
The findings also suggest that larger organisations with complex scopes tend to take longer to achieve certification, compared to small companies with fewer staff and that rely on external help.
The survey’s findings also show that only 16% of companies employ a full-time ISMS manager.
The responsibility for managing the ISMS in most organisations falls to the IT manager (19%), the CISO (18%), the compliance manager/risk manager (15%) or the CIO (6%).
The research also reveals that the ISMS manager has a prominent role to play in organisations that are certified or considering certification to ISO 27001, the individual requiring both the technical experience and a wide understanding of all areas of the business.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f006d241d4&e=20056c7556
Breathing new life into SSL VPNs: Making the most of the security benefits
With a little outside-the-box thinking, an SSL VPN can augment your security strategies, reduce risk and even improve user experience.
The following maps out a sampling of ideas to make sure you are getting the most out of your SSL VPN.
Most enterprise-class SSL VPN appliances can proxy connections to application servers running behind them.
Using an SSL VPN appliance, a separate secure portal can be set up specifically for authorized IT staff that includes links to Web-based applications (via proxy), and to proxy RDP connections that have been statically assigned in compliance with internal policy.
A number of SSL VPN appliances offer add-on software or modules to allow secure access to a work PC from any location or device, and allow employees to view applications and customer data just as if they were in the office.
A number of SSL VPN appliances offer add-on software or modules to allow secure access to a work PC from any location or device, and allow employees to view applications and customer data just as if they were in the office.
his may not fall under features that offer a direct benefit to IT staff, but often it’s desirable (or requested) to use a custom “skin” for corporate application.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3852e58738&e=20056c7556
Advice for the modern CISO
What should a CISO be doing in today’s business and security environment.
At the recent Black Hat Conference in Las Vegas, CSO Magazine had the opportunity to interview Nuix’s Chief Information Security Officer, Chris Pogue about his experiences in protecting the Australian security company’s operations.
Pogue’s main advice to security managers it to hire a great team. “As a CISO I have an eclectic bunch of people, I cater to their crazy and the results are tremendous.
Hire the crazy, because you need them.
Those are the ones that don’t think outside the box, they burn the box and stomp on the ashes.
That’s what you want.”
“You can’t just say ‘security is good’ and everything else is bad because everyone speaks their own language, understand who your target audience is and address them in the language they are going to hear.”
“Executives need to understand this is a real honest to goodness risk and it needs to be addressed you need to have a CISO, a risk officer, you need to have people who understand this landscape who can help guide the business, just like a general counsel,” Pogue advises. “I don’t want to run the business, or keep it from making money, I want to provide enough advice and information so the decision makers can make smart decisions.”
“Understanding that’s the CISO’s role and give him free reign to do that, don’t half ass it.
If you are going to hire him, empower him and him everything he needs to accomplish his mission.
All he’s gotta do is be wrong once.”
Having a probably qualified professional in the CSO or CISO role is also essential says Pogue, “all executives and boards should look at their CISO in a similar way and say this is a cyber expert.
Don’t put a lawyer or accountant in that spot, put a cyber expert who’s put finger on keyboards, has fifteen to twenty years experience who’s going to point you in the right direction.”
Overall, Pogue believes that attracting good security staff is a matter of providing a work environment that they enjoy.
For himself, he’d show up regardless of the money as long as the stimulation is there. “I spent eight years at IBM where I was number 8Alpha149, I didn’t have a name, just a boring serial number and I had no influence over anything whereas if you take a bunch of experts who are passionate we’re in this industry because it’s what we love.
It’s not what we do, it’s who we are.”
“If I won the Powerball tomorrow I would show up for work on Monday because this is just how God wired me.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7bb02e0c07&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=9215971f2a)
Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)