Upcoming ISACA Webinar on Social Engineering

Organizations battle daily with social engineering-based cyberattacks and unfortunately often find themselves on the losing side. What can be done? To determine this we need to step back from our technological tools and start with the psychological basis of why social engineering works and why it is a tactic of choice for cyber attackers. Armed with that knowledge, organizations can begin to mount a more effective defense.

I’ll be discussing the above during an ISACA webinar on February 23, 2016.  See this link for more info and to register.


Some thoughts on the start of National Cyber Security Awareness Month

The famous bank robber Willie Sutton, when asked why he robbed banks, reportedly stated “because that’s where the money is.”  Today, if you ask a cyber criminal why do you hack into businesses they could just as honestly answer “because that’s where the money is.”  Today it may not be cash walking out the door but credit card numbers, intellectual property, and fund transfer authorizations leaving over the network.  Unfortunately, many businesses are coming to the realization they haven’t identified their critical information, they don’t know where their information assets are the most vulnerable, how best to protect them, and how to detect and respond to attacks to limit losses.  Symantic’s 2015 Internet Security Threat Report reported that 60% of targeted attacks strike small and medium businesses due to their less robust security architecture.  Of those small businesses who are subjected to a cyber attack greater than 50% will close within 6 months of the attack.  Large businesses should take note as well because many of these small and medium sized business attacks were used as stepping stones to attack large businesses through trusted network connections.  Clearly there is much more we need to do and October is a great time to get more involved in making those around you aware of cybersecurity needs.

National Cyber Security Awareness Month began in October 2004, growing out of awareness efforts of the National Cyber Security Alliance, working in conjunction with industry and Government partners. 2015 marks the 12th year programs on Cyber Security Awareness have been conducted across the United States during the month of October.  The National Cyber Security Alliance and several partners have a large collection of information you can use at the individual and business level.  Take a look and get involved.  Here are two great places to start: www.dhs.gov/stopthinkconnect-toolkit  & www.staysafeonline.org



October is National Cyber Security Awareness Month

If you were waiting for a reason to start, or breath some new life into, your organization’s cybersecurity awareness program this is for you.

Recognizing the importance of cybersecurity, October has been designated as National Cyber Security Awareness Month (NCSAM). It was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.

Since its inception in 2003, under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation.

Consider these facts from the National Cyber Security Alliance:

  • Over the last 12 months, hackers have exposed the personal information of 110 million Americans (roughly half of the nation’s adults)
  • 9 out of 10 adults feel consumers have lost control over how personal information is collected and used by companies
  • 6 out of 10 Americans “would like to do more” to protect their personal information online

The Better Business Bureau is participating in NCSAM in an effort to do its part to make the Internet safer for everyone in our community by offering a free program to help both consumers and businesses learn the risks, how to spot potential problems and how our online actions impact our safety. It will be held at UNO’s College of Business – Mammel Hall in the Marvin & Virginia Schmid Auditorium, 6708 Pine Street, Omaha NE on Thursday, October 1st from 8:00 am – 10:00 am. Included, is a continental breakfast from 8:00 am – 8:15 am.

This event will feature presentations by Steven Baker, director, Midwest Region, Federal Trade Commission; Kristin Judge, director, Special Projects, National Cyber Security Alliance; and Ken Schmutz, supervisor, Omaha FBI Cyber Security Task Force.  A panel discussion and questions from the audience will follow their individual presentations.  I’ll be moderating the program and am very much looking forward to the opportunity to hear what these experts have to share.

Space is limited and registration is required. To make reservations, please go to bbbinc.org and click on the “Cyber Security” image. For more information, call 402-898-8550 or 800-649-6714 #8550.

Keys to Risk Management for the Executive at ISACA CSX Conference

When you think about it sometimes our attention gets locked on our risk assessment programs and we neglect our more fundamental risk management activities.  Focus is typically good but in this case overlooking, or rushing through, some initial aspects of risk framing can negatively impact the very same risk assessments you are attempting to focus on.  Three areas are especially important:

  • Incorporating cyber risk into your overall risk management program
  • Ensuring you focus your program on the correct assets
  • Implementing a balanced set of security controls

I’m going to be talking about this issue at the upcoming ISACA CSX Conference in October.  ISACA has published my introductory thoughts on their ISACA Now Blog.


Omaha AFCEA Luncheon

Speaking at AFCEA luncheon at Offutt AFB tomorrow.  Will be discussing framing risk.  I think this step is often overlooked entirely or rushed through to the detriment of an organization’s cybersecurity program’s effectiveness.


Addressing Risk: Can you really transfer 100% of your risk?

     I was recently reviewing some risk mitigation plans with an organization and I was told I could close a particular item for which we had been tracking progress for quite some time.  This particular item was going to require some management and technical controls implemented for closure so I was encouraged that so much progress had been made.  When I asked for the details of the mitigation I was told the function had been outsourced to a third party so the risk for that particular function had likewise been transferred.  No residual risk remained.  But was that true?
     When we look at actions to address risk they can be placed into one of four categories; accept, avoid, mitigate, and transfer.  Let’s review these briefly before we return to the scenario above.
     Accept the risk.  This is a common way to address risk, just accept it and move on.  Is it an appropriate action to take?  It could be.  If your risk analysis determined that the potential loss magnitude and probability of occurrence was inside your organization’s risk tolerance than the appropriate action is to accept the risk and move on.  Perhaps your organization is willing to absorb a loss of $30,000 per year in this area.  Your analysis determined that this particular risk could result in no more than $20,000 of loss in any single year.  In other words it carries an annualize loss expectancy (ALE) of $20,000.  That’s less than the $30,000 you organization is willing to absorb so the proper action is to accept the risk.  This example is greatly simplified, if only things were this straightforward, but you get the idea.
     Avoid the risk.  This is a methodology that you may not be as familiar with, or at least have not considered as a way to address risk.  Put simply, if a particular activity carries too much risk, stop doing the activity.  For example, if your analysis shows that allowing your employees to access your company network from home carries too much risk, you could stop remote access for your workforce.  This is perhaps an extreme example for which there are other options for addressing the outstanding risk but you get the point.  As with all options to address risk, and especially this one, you need to ensure your risk treatment plan aligns with your business objectives.  If one of your business objectives is to increase workforce efficiency by extending information system accessibility then avoidance may not be the preferred option here.
     Mitigate the risk.  Mitigation is the risk treatment which most of us think of first, what do I need to do to “fix” the problem that is leading to the unacceptable risk.  Most focus on a technical solution, and many vendors are happy to sell you one.  But a mitigating action is anything that can be done to lower the resultant risk.  In addition to patching a vulnerability can you decrease your exposure to the threat or perhaps limit the potential loss?  There are many opportunities in this area.
     Transfer the risk.  The idea here is simple, have another entity assume your risk.  The example most people can readily identify with is automobile insurance.  You satisfy certain requirements of your insurer, such as paying a premium and operating your vehicle within the law and in return they promise to pay for some level of repairs if your car is in an accident.  In a business the risk transference could occur through services you outsource or even through the execution of a cyber insurance policy.  But notice, I earlier said the other entity must assume your risk.  Too often I’m told an organization has transferred its risk for a particular operation, let’s say web hosting, to an outside provider so they have transferred all associated risk to that provider as well.  This is about the time alarm bells start to go off in my head and I begin to ask some probing questions.  For example, does the organization’s contract or service level agreement with the web hosting service state the host’s responsibility in the case of a data breach impacting customer data?  If not, then the business may still be responsible for any and all actions and losses resulting from the breach.  These are the types of questions you need to ask when determining how much risk you have actually transferred to another party.  Finally, keep in mind, it is very difficult to outsource the risk to your company’s reputation.  It is a very hard sell telling your customers it is not your fault their personal information was stolen but the fault of the vendor you selected to manage their data.  You can probably guess some of the what-if exercises I ran with the organization in my opening paragraph.
     The truth of the matter is none of these risk treatments typically exist in isolation.  To address a single risk you may combine two or more of the above activities.  You may patch some vulnerabilities (mitigation) bringing your risk down to a level where a cyber insurance policy is able to cover all the remaining potential loss (transference) except for a portion, your deductible, which is within your risk tolerance level (acceptance).  It’s through this blending of methods where your IT risk program can really best address your business objectives.
     Over the next several weeks I want to spend a bit of time revisiting each of the above methodologies and provide you a few nuggets to think about as you develop or improve your organization’s cyber risk management program.  But before we can look further at methods to address risk we first need to take a step back.
Next: A deeper look at framing your risk…

ISACA CSX Presentation

I’ll be presenting at the ISACA CSX Conference in October.  Will be discussing some suggestions for actions executives can take to make their cyber risk program better integrated and more effective.  We often focus on how to better patch vulnerabilities and do assessment but we often overlook gaps in the risk management function itself.

Great Plains Contingency Planners Panel Discussion

I had the opportunity today to sit on a cybersecurity panel discussion at the 2015 Great Plains Contingency Planners Seminar and Vendor Expo.  Lots of great questions from the audience, especially related to social engineering threats.  I would recommend everyone take a look at their cyber awareness program.  A few key thoughts:

  • Has your organization determined what it considers critical information that needs to be restricted to non-employees?  This could be intellectual property, it could be what vendors you utilize, it could be what days you run patches on your IT, or the web address for your remote VPN access.  Once this information is determined then your workforce needs to be informed not to share directly to an outsider or post on social media.
  • Do you conduct training to teach employees how to recognize and respond to phishing emails?  This could be conducted by your internal IT team or by vendors specializing in providing this service.  A variety of tactics, frequency of events (monthly or quarterly), and feedback are crucial to success.
  • Establish a process for employees to report questionable activities.  It may alert your security staff to initial attempts to hack into your network.