It was recently revealed that the personal data of 20 million South Koreans (40% of the country’s population) was stolen by a contract worker at the Korea Credit Bureau, toppling consumer trust in Korean credit card companies. The theft was carried out by an insider over a period of time and begs the question: How could such an incident go unnoticed? We have found that breaches such as this are usually due to:
Poor system controls for privileged users. Privileged users often have more access than they really need to do their job. By definition, these users need broad access rights, but “broad” shouldn’t imply “unlimited.”
January 28th was the anniversary of the Space Shuttle Challenger disaster. The Rogers Commission detailed the official account of the disaster, laying bare all of the failures that lead to the loss of a shuttle and its crew. Officially known as The Report of the Presidential Commission on the Space Shuttle Challenger Accident - The Tragedy of Mission 51, the report is five volumes long and covers every possible angle starting with how NASA chose its vendor, to the psychological traps that plagued the decision making that lead to that fateful morning. There are many lessons to be learned in those five volumes and now, I am going to share the ones that made a great impact on my approach to risk management. The first is the lesson of overconfidence.
In the late 1970’s, NASA was assessing the likelihood and risk associated with the catastrophic loss of their new, reusable, orbiter. NASA commissioned a study where research showed that based on NASA’s prior launches there was the chance for a catastrophic failure approximately once every 24 launches. NASA, who was planning on using several shuttles with payloads to help pay for the program, decided that the number was too conservative. They then asked the United States Air Force (USAF) to re-perform the study. The USAF concluded that the likelihood was once every 52 launches.
In the end, NASA believed that because of the lessons they learned since the moon missions and the advances in technology, the true likelihood of an event was 1 in 100,000 launches. Think about that; it would be over 4100 years before there would be a catastrophic event. In the end, Challenger flew 10 missions before it’s catastrophic event and Colombia flew 28 missions before its catastrophic event, during reentry, after the loss of heat tiles during take off. During the life of a program that lasted 30 years, they lost two of five shuttles.
Indian firms have become cognizant of the fact that they have entered the age of the customer — an era in which they must systematically understand and serve increasingly powerful customers. These firms are leveraging mobility to empower their employees to win, serve, and retain customers. For example, the Tab Banking initiative by ICICI Bank uses tablets to enable sales representatives to visit customers to give them the convenience of opening bank accounts without leaving their home or office. However, since consumer mobile technologies have entered the enterprise, the management of mobile device platforms has become more complex; enterprises have started realizing that security controls should be around the apps and the data and not the device. In India, mobile application management (MAM) has leapfrogged other strategic telecom and mobility priorities in 2014 (see the figure).
The importance of supporting a workforce that wants (and has come to expect) to work anywhere, anytime, and on any device has necessitated a paradigm shift in security and risk (S&R) mitigation approaches and techniques. S&R professionals must therefore implement a security program that centers on mobile applications. This is because:
We are now less than two weeks away from our annual sojourn to the RSA security conference. RSAC is a great time for learning, meeting and making friends. (Please hold cynical remarks; RSAC is what you make of it.) As the date grows near and my excitement grows, I am preparing my mind and patience for the ubiquitous silver bullet marketing that is predestined to appear.
One of these silver bullets will be the term "actionable intelligence." You will be surrounded by actionable intelligence. You will bask in the glory of actionable intelligence. In fact, the Moscone expo floor will have so much actionable intelligence per capita you will leave the conference feeling like the threat landscape challenge has been solved. Achievement unlocked, check that off the list. Woot!
Well not so fast. I frequently talk to vendors that espouse the greatness of their actionable intelligence. Whenever I hear the term actionable intelligence I want to introduce them to Terry Tate, Office Linebacker. Terry Tate first appeared in a 2003 Reebok Super Bowl commercial.
Security is the No. 1 impediment to Cloud Service adoption. Forrester’s research has shown this over the last three years. Cloud Service Providers (CSPs) are responding to this issue. AWS has built an impressive catalog of security controls as a part of the company’s IaaS/PaaS offerings. If you are currently or considering using AWS as a CSP you should check out the following new research.