Announcing the Next SecurityDreamer Event ASIS 2014

August 22, 2014 1 comment

Join us for another SecurityDreamer cocktail party at the beginning of the ASIS conference in Atlanta, September 28. Start here before you walk over to Canada Night. Open bar and food. Contact me for an invitation HERE

security_dreamer_high-res_4c

IMG_0220

IMG_0212

IMG_0236

Sponsored by Modulo

Modulo_INTLogo_New_NoAccent

 

Why Worry About Public Surveillance? Are you Hiding Something?

September 15, 2014 Leave a comment

In the aftermath of the killing in Ferguson, MO, three police officers – none of whom are from the Ferguson police department – were suspended after blatantly racist and extremist comments and unacceptable behavior. A Rock Island, IL sheriff recently pled guilty to cyberstalking and resigned.

Do you think that, given an opportunity, these local law enforcement officers and others of their ilk would use information gleaned from your cell phone in a responsible manner? Would they respect information privacy?

Local law enforcement does have the opportunity. In September, news broke that owners of encrypted cell phones had identified 19 fake cell phone towers in various parts of the United States; it wasn’t long before the towers were connected to the NSA, as well as local, regional and state law enforcement.

This enables something as simple as tracking a user’s location or as potentially sinister as so-called “Man in the Middle” attacks where calls and texts can be heard or read before being forwarded on to a legitimate cell tower and the intended recipient. Is this a violation of physical security or cybersecurity? Or both?

Do you trust your local law enforcement to protect your information privacy? How many police officers or sheriff’s deputies are trained to understand these limits? In Florida a local police department used cell phone location information to conduct a search without a warrant. What else can and will they do? What have they done?

And what does this do to our expectations of information privacy?

Categories: Uncategorized

Google says Don’t Worry

September 15, 2014 Leave a comment

“Google Says Not to Worry About 5 Million ‘Gmail Passwords’ Leaked” So said a headline on forbes.com. If you have a gmail account, were you at all concerned that your email address and password was among the 5 million? Of course you were.

Continued data breaches are a cybersecurity headache. They’re also a major public relations nightmare. Telling your customers not to worry doesn’t sound like a good strategy.

So far no one is saying how the Russian Bitcoin security forum actually got the gmail addresses paired with the passwords. Some speculate that, instead of a gmail data breach, whoever was responsible grabbed them from other sites at which gmail customers used their emails and passwords to sign in.

It’s still a public relations problem for Google. Covering various parts of your body and telling everyone not to worry only serves to make people leery. They don’t believe you and suspect your ability to handle cybersecurity and even physical security.

So, whether it’s a data breach or some other problem, most PR professionals believe honesty is the best policy. Tell people their information privacy has been violated, whether via a cybersecurity or physical security breach. Give them directions for changing their passwords. Admit you don’t know what happened, but, by golly, you’re going to find out. And apologize. For goodness sakes, apologize.

People understand apologies, especially if they are followed by a vow to find and fix the problem.

Then tell them when it’s fixed.

Categories: Uncategorized

Your CISO will soon need more clout

September 4, 2014 1 comment

If consumers weren’t skittish enough, Home Depot recently joined the rapidly lengthening list of big box retailers experiencing sometimes prolonged data breaches: Albertson’s, Dairy Queen, The UPS Store, Sally Beauty, Target, Michael’s, Neiman Marcus, P.F. Chang’s and SuperValu.

More than a few Chief Information Security Officers (CISO) must be nervous. In fact, it may be forcing corporations who do not have a CISO to rethink that strategy. Often the CISO position is folded in with or serves under the Chief Information Officer (CIO) or even, if the CIO reports to the Chief Financial Officer (CFO), as is the case in some organizations, two layers under the seat of power. So, the person charged with security risk management may not have the authority to get things done.

With the recent spate of high profile data breaches, translating the message up the chain or even the perception that the CISO’s job is not important enough to be a direct report may not cut it anymore. Shareholders and customers want answers.

Consumers also are flocking to convenient online sites, where they have few other choices than to use a credit or debit card.

Data breaches, whether prolonged or short lived, especially those that compromise customer information, are black eyes that eventually will force consumers to keep their credit and debit cards at home. Having the man or woman in charge of mitigating IT risk fairly far down the food chain doesn’t look good, no matter whose ear he or she may have.

 

How Geeky Should a CISO Be?

August 26, 2014 2 comments

Michael Daniel, the current White House cybersecurity coordinator, recently admitted to lacking technical know-how; i.e. he can’t code and doesn’t feel the need to learn to do so. Those who have the technical expertise and think it’s important have lit up the Internet with their cries, making it clear that they do not approve.

Does it matter that Michael Daniel can’t code? Read More…michael daniel

GRC is not about Risk or Compliance

In my earlier post, “Security is Not the Point,” I explained why to most people security is an annoying layer of cost and inconvenience. I said that no one wants security, they want the benefits of security. But if security is not the point, what is?

The last time you had to do some tedious paperwork, you were no doubt muttering under your breath that you’d rather be doing the actual project and not filling out forms and writing a report. We are all like that. Documenting tasks and processes is not fun.

Compliance is like that, too. It is considered the necessary evil, the tedious paperwork required by “the powers-that-be” to meet some basic level of due care. Compliance requirements define the “minimums” for demonstrating that the business is being run responsibly.

However, compliance has a more attractive cousin. Read more HERE.

Services-sized2

Convincing the skeptical CIO to support security

I have a new client, a billion-dollar service company, whose CIO is going to test my skills. He is suspicious about security and risk management, and questions everything. I should be happy, but I’m not. I should be happy because his questions mean he’s engaged – antagonistic is better than apathetic I always say. He’s willing to hear my arguments about the value security brings to the business, but he’s stubborn. How am I going to win him over?  READ my answer HERE.

Categories: Uncategorized

Prioritizing is the Key to Defending against Advanced Threats

IT GovernanceHere are some helpful tips for the security manager who wants the right governance in light of advanced threats.

Most organizations have struggled for years with just cleaning and prioritizing security alerts generated from numerous point products. The value proposition for SIEM products was couched in terms of correlation and prioritization, but SIEM has only succeeded in checking a compliance box without addressing the problem of advanced persistent threats. Stopping targeted attacks in the shortest time possible is now the top priority for advanced security solutions. Read the tips HERE

 

Categories: Uncategorized
Follow

Get every new post delivered to your Inbox.