The first blog post of the series – ‘CISO Says…YES’ raises the topic of security departments that are perceived as the ‘Department of NO.’ And how information security management services can be utilized to get a grip on an organization's current state of information security,
Search results
From a security perspective, workstations (desktops, laptops, smartphones) can never be completely controlled, equating to a plethora of possible breaches CISOs must foresee and navigate. Simply advising employees to be wary of predatory behavior from unknown attackers is not sufficient. Knowing a) what to protect, b) which possible dangers exist and c) who the hypothetical attackers are, is necessary for every CISO.
Nowadays many applications are built for the web using scalable architectures and are running in the cloud. The current Corona virus induced situation is putting these applications to the test. Can the promised resilience and scalability really be achieved?
Awareness training in cybersecurity is often the equivalent of telling road users to be careful: a good idea, but has limited impact if not supported by a number of other measures. On the road, we have rules: drive on the right side of the road, follow the speed limits, etc. Next, we have infrastructure to support safe behaviour, like traffic lights, pedestrian crossings, and guardrails. Finally, we have traffic laws, enforced by the police. We understand and agree that these measures are needed to support safe use of the roads. In cybersecurity we need something similar. I call it Top Management Awareness.
My colleague Anne Oikarinen has written a blog or two about secure software development and how to incorporate ‘Evil user stories’. The idea is that you envision how an evil user could misuse the system you are developing and, subsequently, you mitigate your code. From a CISO perspective, it makes more sense to analyze and take things a step further: How would an evil person compromise the company? How would he commit fraud? How would he go about stealing goods or money? How would he abuse your organization’s vulnerabilities?
During a crisis, people tend to criticize the ones that were supposed to prepare for it. Whatever has been done, it’s not good enough: There was too little preparation, the response was too late. But before the crisis existed the same people often were criticized too: Their proposed measures were too expensive and too restrictive. The difference is that we prepare for a risk, but we have to deal with a problem.
Nixu Corporation
Press release, March 4, 2019 at 9.30 AM EET
Are you expecting your IT department to work on a certain budget and keep things secure? Think again! Because you could probably lift some weight of their shoulders, so that they can do more with less.
Cybersecurity risks are a result of three elements: threat, vulnerability, and impact. This blog specifically addresses vulnerability management. Patching is an important aspect of this, but there is more to it than meets the eye. As always in information security we have to balance the risk and the cost.
Security patching is not without risk, but not patching comes with a risk too. When does the coin flip from "don't touch" to "patch"? You can calculate the risk an make an informed decision.
IT security essentially reduces information-related risk to an acceptable ratio of risk to cost. For this reason, the process begins with an extensive risk assessment – a tried and tested process that can be improved. I am inspired by the work of Douglas Hubbard on this topic. Here’s why.
To fight against the ever-increasing cyber threats the newspaper Børsen entered a partnership with Nixu and started using Managed Detection & Response solution and Threat Intelligence tools.
The world is driven by risk assessments. Crossing the street, ordering some gadget online or lying to your boss… It’s all risk assessment. Doing business is no different, but there is more to life than risk alone. What about ethics?
IT security essentially reduces information related risk to an acceptable ratio of risk to cost. For this reason, the process begins with an extensive risk assessment – a tried and tested process that can be improved. I am inspired by the work of Douglas Hubbard on this topic. Here’s why - part III.
IT security essentially reduces information related risk to an acceptable ratio of risk to cost. For this reason, the process begins with an extensive risk assessment – a tried and tested process that can be improved. I am inspired by the work of Douglas W. Hubbard on this topic. Here’s why ‘Part II’.
I recently visited the Risk and Resilience Festival at the University of Twente. One of the keynote speakers was Maarten van Aalst, Director of the international Red Cross Red Crescent Climate Centre, and professor at the University of Twente. He told a story about Bangladesh and how the frequent flooding lead to increasing numbers of casualties. It was too simple, he said, to blame climate change. A much bigger impact was the increasing population. The more people there are living in the Ganges Delta, the bigger the exposure. It reminded me of the fact that exposure is often something we can influence.
Do the names Industroyer/CrashOverride, Stuxnet, Blackenergy 2, Havex and Triton ring a bell? These are the names of malware targeted at Industrial Control Systems (ICS). Targets were electric grid operators, Iran’s nuclear facilities and Saudi Arabian petrochemical plants . But even non-ICS targeted malware, like Petya , may have an impact on industrial control systems. NotPetya ransomware wreaked havoc at Maersk’s APM Terminal in Rotterdam. IT related crime has already infiltrated ICS. What can we do to protect existing systems without causing downtime?
IT security essentially reduces information related risk to an acceptable ratio of risk to cost. For this reason, the process begins with an extensive risk assessment – a tried and tested process that can be improved. I am inspired by the work of Douglas Hubbard on this topic. Here’s why - part IV a sample case comparing traditional risk analysis with quantitative risk analysis.
The Corona virus has provided for challenging times, impacting businesses globally. It is very likely IT security is no longer a top priority for companies, when the only outlook is surviving the current crisis. Of course, companies are handling things to the best of their ability. The current situation reminds me of 2009, when the world was battling the swine flu pandemic. In hindsight, that flu was comparable to the seasonal flu. It looks like the Corona virus is completely different, with far more severe consequences. We are now faced with the same review, and the comparisons are striking.
Nixu Corporation, Stock Exchange Release on 30 June 2023 at 12.00 a.m.