IT security essentially reduces information related risk to an acceptable ratio of risk to cost. For this reason, the process begins with an extensive risk assessment – a tried and tested process that can be improved. I am inspired by the work of Douglas Hubbard on this topic. Here’s why.
IT security essentially reduces information related risk to an acceptable ratio of risk to cost. For this reason, the process begins with an extensive risk assessment – a tried and tested process that can be improved. I am inspired by the work of Douglas W. Hubbard on this topic. Here’s why ‘Part II’.
IT security essentially reduces information related risk to an acceptable ratio of risk to cost. For this reason, the process begins with an extensive risk assessment – a tried and tested process that can be improved. I am inspired by the work of Douglas Hubbard on this topic. Here’s why - part III.
IT security essentially reduces information related risk to an acceptable ratio of risk to cost. For this reason, the process begins with an extensive risk assessment – a tried and tested process that can be improved. I am inspired by the work of Douglas Hubbard on this topic. Here’s why - part IV a sample case comparing traditional risk analysis with quantitative risk analysis.
The world is driven by risk assessments. Crossing the street, ordering some gadget online or lying to your boss… It’s all risk assessment. Doing business is no different, but there is more to life than risk alone. What about ethics?
‘CISO Says...’ is a monthly blog post series by Chris van den Hooven, Senior Security Consultant at Nixu. Each post will elaborate on a different issue within the cybersecurity space from the perspective of a Chief Information Security Officer, a role Chris has been in many times himself, in a career spanning more than 15 years. By combining knowledge of risk management, architecture, legislation and regulation, Chris helps organizations get in control of the security of their information and IT infrastructure.
Cybersecurity risks are a result of three elements: threat, vulnerability, and impact. This blog specifically addresses vulnerability management. Patching is an important aspect of this, but there is more to it than meets the eye. As always in information security we have to balance the risk and the cost.
Nowadays many applications are built for the web using scalable architectures and are running in the cloud. The current Corona virus induced situation is putting these applications to the test. Can the promised resilience and scalability really be achieved?
Are you expecting your IT department to work on a certain budget and keep things secure? Think again! Because you could probably lift some weight of their shoulders, so that they can do more with less.
I recently visited the Risk and Resilience Festival at the University of Twente. One of the keynote speakers was Maarten van Aalst, Director of the international Red Cross Red Crescent Climate Centre, and professor at the University of Twente. He told a story about Bangladesh and how the frequent flooding lead to increasing numbers of casualties. It was too simple, he said, to blame climate change. A much bigger impact was the increasing population. The more people there are living in the Ganges Delta, the bigger the exposure. It reminded me of the fact that exposure is often something we can influence.
From a security perspective, workstations (desktops, laptops, smartphones) can never be completely controlled, equating to a plethora of possible breaches CISOs must foresee and navigate. Simply advising employees to be wary of predatory behavior from unknown attackers is not sufficient. Knowing a) what to protect, b) which possible dangers exist and c) who the hypothetical attackers are, is necessary for every CISO.
Security patching is not without risk, but not patching comes with a risk too. When does the coin flip from "don't touch" to "patch"? You can calculate the risk an make an informed decision.
During a crisis, people tend to criticize the ones that were supposed to prepare for it. Whatever has been done, it’s not good enough: There was too little preparation, the response was too late. But before the crisis existed the same people often were criticized too: Their proposed measures were too expensive and too restrictive. The difference is that we prepare for a risk, but we have to deal with a problem.
The Corona virus has provided for challenging times, impacting businesses globally. It is very likely IT security is no longer a top priority for companies, when the only outlook is surviving the current crisis. Of course, companies are handling things to the best of their ability. The current situation reminds me of 2009, when the world was battling the swine flu pandemic. In hindsight, that flu was comparable to the seasonal flu. It looks like the Corona virus is completely different, with far more severe consequences. We are now faced with the same review, and the comparisons are striking.
Awareness training in cybersecurity is often the equivalent of telling road users to be careful. It is a good idea, but it will have limited impact. On the road, we have rules such as please keep driving on the right, give space to people coming from the right and do not go faster than 50 km/h. Next to that, we have infrastructure to support the safe usage, like traffic lights, pedestrian crossings, and guardrails. And finally, we have legislation and enforcement by the police. Our society is aware off the fact these measures are all necessities to support safe road usage. In cybersecurity we need this as well. I call it Top Management Awareness.
My colleague Anne Oikarinen has written a blog or two about secure software development and how to incorporate ‘Evil user stories’. The idea is that you envision how an evil user could misuse the system you are developing and, subsequently, you mitigate your code. From a CISO perspective, it makes more sense to analyze and take things a step further: How would an evil person compromise the company? How would he commit fraud? How would he go about stealing goods or money? How would he abuse your organization’s vulnerabilities?
Do the names Industroyer/CrashOverride, Stuxnet, Blackenergy 2, Havex and Triton ring a bell? These are the names of malware targeted to Industrial Control Systems (ICS). Targets were electric grid operators, Iran’s nuclear facilities and Saudi Arabian petrochemical plants . But even non-ICS targeted malware, like Petya , may have an impact on industrial control systems. NotPetya ransomware wreaked havoc at Maersk’s APM Terminal in Rotterdam. IT related crime has already infiltrated ICS. What can we do to protect existing systems without causing downtime?
The cybersecurity industry’s current mood is no longer fear but seeing opportunities. Instead of saying “no,” I’d say: “Let’s see, how we can do this securely.”
The world is driven by risk assessments. Crossing the street, ordering some gadget online or lying to your boss… It’s all risk assessment. Doing business is no different. Businesses are struggling to get a grip on risks, which is where (IT) security comes in.
At the beginning of the year, all departments in the organization have submitted their annual status reports regarding departmental risks and it’s time to analyze the results. But how will you organize and crunch the numbers in all those Excel worksheets that departments use to document risks? How can you produce a collective risk profile for your organization? Where should you start, and what’s the best way to present the information?