Archive for the ‘cybersecurity’ Category

CISSP or CISM: Which – or Both?

Friday, May 3rd, 2013

In today’s underskilled cyber security market place, people ask whether they should acquire a CISSP or CISM qualification. Each qualification has different strengths – so, which do you think information security professionals should pursue?

Where do you think CISMP fits into a career path?

Or should you pursue an ISO 27001 certification from IBITGQ?

 

Cyber skills the issue for SMBs

Thursday, May 2nd, 2013

New cybersecurity surveys continue to point at the two main challenges faced by most smaller businesses in terms of defending against cyber attack:

  1. They don’t know where they are vulnerable; and
  2. They don’t have the skills to close down the vulnerabilities anyway.

Two things to do: get an outside expert to come and do a cyber security risk assessment, and either engage them to help close down the identified vulnerabilities or get your own staff trained up. A CISSP should now be a basic qualification for anyone dealing with cyber security in a business of any size.

The cyber security frontline: your business

Monday, April 29th, 2013

Eugene Kapersky - the founder of Kaspersky Lab, the world’s largest privately-held anti-malware vendor – made four important points in his cybersecurity seminar at Infosec 2013:

  1. “Every company is a victim of cyber attacks, whether they know it or not;”
  2. Even smaller businesses have a critical role to play in preventing cyber attackers from using them as stepping stones to bigger victims;
  3. Governments (and, by my extension, critical national infrastructure organisations) have an essential duty to move their services to more secure environments where cyber attack is very difficult; and
  4. Everyone – governments in particular, as they control large budgets and regulatory powers – must contribute to the drive to increase the universe of cyber security skills.

From a ‘take action’ point of view, this translates into

  1. Carry out a cyber security risk assessment as soon as possible, and act on the findings; and
  2. Initiate a programme of cyber skills security training amongst your IT team.

In the dark world of cyber security, your inattention will bring you to the attention of cyber attackers.

Cyber security skills gap

Friday, April 26th, 2013

I talked, earlier this week, about the evident gap between the concern expressed (in the 2013 ISBS  survey) by the majority of managers about cyber security and the fact that their organisations continue to be breached, and linked this to a lack of appropriate competences in their organisations.

I don’t think this is surprising – most organisations build their IT teams in order to deliver services to customers, and they don’t do this with cyber security at the forefront of their mind.

The world has now changed – cyber security needs to be a core part of every organisation’s IT delivery strategy. In terms of skills and competences, this means that every organisation will need to employ people whose qualifications include ISO27001 Lead Implementer, ISO 27001 Lead Auditor, CISSP, CISA, CEH and CISM.

While a cyber security risk assessment is a sensible immediate first step for most organisations, the reality is that everyone is going to have to employ people with an appropriate skill set.

 

Cyber security – outside attacks

Thursday, April 25th, 2013

According to the recent ISBS 2013 Survey, 78% of large organisations were attacked by an unauthorised outsider last year (an increase from 73% the previous year), while 63% of small organisations were similarly attacked from outside – a big increase from 41% the previous year. Small businesses are now squarely in the cyber firing line, and are being attacked much more frequently than before.

External attackers take advantage of vulnerabilities in network connections to the Internet and in corporate websites. Basic security practice in today’s climate should include quarterly security scans and penetration tests of all Internet-facing resources and connectivity, with identified vulnerabilities patched as fast as possible.

As we move into an era of ‘negative day’ attacks, taking no action to identify and close vulnerabilities is no longer an even vaguely sensible option!

 

Cyber security – how much should I spend?

Wednesday, April 24th, 2013

Cyber security costs money – but then, so does cyber insecurity – and the problem with data breach costs is that they are usually accompanied by even more expensive business disruption and reputation damage – often when you need it least!

Increasingly, organisations ask: “How much should we spend on getting ourselves cyber-secure?”

Here are two guidelines:

    1. According to the recently published ISBS 2013 survey, the total cost of cyber insecurity to British business increased three-fold last year. Therefore, whatever you spent on cybersecurity last year, you should spend roughly three times as much this year.
    2. The cost of the worst breach, for smaller organisations, was between £35k and £65k – and, with the median number of breaches for small organisations having climbed to 17, the actual annual cost is likely to be in the order of £100k. So, for a smaller organisation to spend up to £100k in an initial investment in order to reduce the growing annual losses to cyber risk, makes good sense. If you’re a larger organisation, for whom the worst breach costs in excess of £1 million, the necessary investment could easily be of that order.

Of course, how much you actually need to invest does depend on your actual cyber insecurity – and the way to work that out is to compare your current cyber security stance with that described in either the UK Government’s 10 Steps to Cyber security, or in the NIST/CSIS 20 Security Controls. The appropriate framework depends on your organisational size. Yes, you will need to deploy competent and appropriately skilled people to do the assessment, and this is where services like professional cyber security risk assessments come in..

Cyber security risk assessment

Wednesday, April 24th, 2013

The 2013 Information Security Breaches Survey - published yesterday – makes it very clear that the vast majority of business managements and boards are all concerned about cyber security, but are signally failing to translate that concern into a set of effective cyber defences.

This is not surprising – organisations build their IT infrastructures (and their IT teams) to deliver against business objectives, such as satisfied, more profitable customers. Most IT teams do not also contain extensive cyber security skills and competences; even where they do, the challenge of keeping those skills current and knowledge up-to-date for the most recent attack vectors and security requirements is substantial.

That’s fine because, luckily, cyber security skills and competences are readily available from specialist cyber security companies – such as my company, IT Governance Ltd. More importantly, these skills are available in a highly focused format: the cyber security risk assessment: a three-day exercise that is designed to analyse and assess the gap between what an organisation actually does and established good practice (such as the UK Government’s 10 Steps to Cyber Security), and to provide a clearly articulated action plan that will lead the organisation quickly to a more secure position.

Cyber attacks on business soar!

Monday, April 22nd, 2013

In a (hastily withdrawn because published ahead of its official release date) news article describing the findings of the Information Security Breaches Survey 2013, the UK’s Department for Business, Innovation and Skills (BIS) will tomorrow (Tuesday 23 April) report that 87% of small firms in the UK experienced a security breach last year, and that 93% of large firms had also been targeted. Some of the incidents caused more than £1 million in damages. The median number of breaches suffered by large organisations rose from 71 to 113 and, for small firms, from 11 to 17.

UK firms are clearly not doing a good job of preparing for or responding to cyber attacks.

The UK’s Universities and Science Minister will apparently say tomorrow:

“Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents.”

I agree. There are simple steps that can be taken to prevent the majority of incidents. Step 1 is to find the open windows in your network, and close them. This means that the first and most basic cyber security step is to identify cyber vulnerabilities in your Internet connections and websites – and then to patch them. This is relatively straightforward – an externally-commissioned vulnerability and penetration test (and there are easy-to-purchase, fixed price penetration testing packages available, as well as more customised services) will give you all the information that you need, both about vulnerabilities and what you need to patch them - but you need to commission such a test as fast as possible.

You could read this Green Paper on penetration testing and ISo27001 - but cyber-attackers aren’t about to slow down their activity – so you’ve got to start getting ahead – the faster you check your basic security, the faster you’re able to take remediation action to protect yourself and your valuable corporate assets.

 

 

Small & Medium Businesses continue to be cybercrime targets

Wednesday, April 10th, 2013

Symantec’s most recent National Small Business Survey says the following:

  1. In 2011, over three-quarters of small businesses had a security breach;
  2. The average cost of a security breach was £15k – £30k;
  3. 1 in 20 breaches les to business disruption of between a week and a month;
  4. 83% of small businesses have no formal cyber-security plan.;
  5. Half of attacks targeted SMBs.

The report makes the point that cyber criminals target SMBs because they have more money than individuals and their security is much weaker than that of larger organisations. In other words, Small and Medium Businesses should expect to see substantial growth in the number and effectiveness of cyber attacks on them.

Part of effective defence against cyber threats may well be a security solution such as that available from Symantec or Sophos. The better SMB approach is to start by adopting a basic cyber security strategy that deals cost effectively with the most obvious business-level vulnerabilities and then moves on to look at appropriate technical security solutions. The Green Paper ‘Cybersecurity – a Critical Business Risk’ describes a useful 7-step cyber security strategy.

 

SANS Top 20 Security Controls and Risk Appetite-based Control Selection

Monday, April 8th, 2013

SANS has, for years, published and maintained the Top 20 Critical Security Controls (now in version 4.1).  These 20 Critical Security Controls, whose origins go back beyond 2008, were implemented by the US State Department in 2009, leading apparently to an 88% reduction in vulnerability-based risk. This success led to the controls being more widely implemented across public and private sectors in the USA and, in 2011, the UK’s CPNI announced that the UK would also adopt the controls.

I see something of a face-off between two different approaches to information security risk:

  1. There is the ISO27001 approach which says, in essence, that controls should be selected on the basis of an asset-based risk assessment and only insofar as is necessary to assuage management’s appetite for risk; and
  2. The ‘baseline security’ approach, which says that there are certain risks which are so unavoidable that every organisation ought as a matter of course to adopt the relevant controls – irrespective of their implementation cost or management’s appetite for risk.

You could, of course, identify a parallel between the US approach to corporate governance (‘comply or get into very big trouble with regulators and everyone else’) and the UK’s approach (‘comply or explain’). Increasingly, I suspect, the US approach will become dominant – not because of anything intrinsically better about its American origins but just because it recognises (whether deliberately or not) that the Internet is a shared international infrastructure (like a highway) and that any organisation connected to it can damage all the others, whether it means to or not – rather like a motor vehicle which, because of its capacity for harm, has to be licenced, roadworthy and driven by a competent, licensed driver.

A poorly defended corporate network can be taken over by hackers and used to mount Distributed Denial of Service attacks. Ill-protected webservers and sites can be used as part of a pharming strategy, or to auto-download malware into the browsers of legitimate visitors. As multiple payment card and personal data breach headlines have proven, poorly-secured websites expose the data of unsuspecting users to malefactors the world over.

Private sector organisations that want to connect to government networks are increasingly told that they must first implement security controls which are aligned with the government’s appetite for cyber risk (which is quite low!) rather than their own. While many of the larger private sector organisations are still quite reticent about specifying minimum security controls required in their supply chain, it can only be a matter of time before this sort of practice becomes widespread.

I imagine that we will then see the two approaches to information security merging: most organisations will expect to have to adopt a minimum set of security controls, irrespective of their management’s risk appetite, and they will then select those additional controls which might be necessary to additionally mitigate their own business-specific legal, contractual or business risks.