Enterprise Risk Management For IT Security

Chris McClean

A few weeks ago, Stephanie Balaouras and I posted a podcast on a topic that has been a high priority for many of our customers — how to apply risk management techniques to IT security. We know that many of you are feeling the pressure to take the lead in IT risk management and in some cases even play a role in initiating risk management at the corporate level.

The key to success is understanding the core elements of risk management and how to plug them into existing processes without creating simply another layer of overhead. A major theme of my recent research has been on existing risk management standards and how they are being applied to IT Security and Risk functions. For example, the ISO 31000 risk management standard outlines a five-step process for formalized risk management. My January report, Introducing ERM To IT Security And Risk , provides a summary of the standard, and I will be expanding upon the next steps in my upcoming research documents. In addition, look out for my next doc on Regulatory Intelligence, to be published in the next few months.

In the meantime, I encourage you to listen to this podcast to hear about best practices and lessons learned from clients who have gone through these steps. And as always, I welcome any questions or feedback.

Don't Sign Here Please

John Kindervag

Visa just announced the expansion of their No Signature program. Citing its "popularity", Visa notes that: "According to a Visa Inc. survey, 69 percent of participants surveyed cited either convenience or speed as the primary reason for using their credit or debit card."  Wow.

What this seems to signal is that Visa, and perhaps the other card brands, feel that they will make more money by eliminating barriers to the sale, such as the 2.2 seconds needed to sign your name, than it would lose in fraudulent transactions, considering this program is for transactions of US$25 or less. Also, it appears that people no longer know how to sign their names.

I have often heard (in low, barely audible whispers) that US consumers were too lazy to care about security, which is why the US will probably never have CHIP and PIN transactions for enhanced credit card authentication.  We Americans are too darn busy to push 4 numbers on a key pad (4.3 second).  This drives folks in the other parts of the world crazy as they are in love with CHIP and PIN and, mistakenly, think that this technology eliminates all transaction risk.  CHIP and PIN cards still have a mag stripe that can be scanned, and skimming is still a problem. It's a great authentication method, however, and would really help reduce some of the smaller, card-present CC frauds were we to adopt it.

Americans need more paranoia about credit card theft. We are much more likely to suffer some type of credit card fraud or be affected by a major credit card breach than a terrorist attack, but for some reason we are unwilling to punch in a few numbers to help protect ourselves.

Read more

Categories:

MiFi Pwned!

John Kindervag

Wireless hacking Guru, Josh Wright,has just announced that he has created havoc with a MiFi personal access point.MiFi is a little device that turns 3G wireless signals into WiFi.  The cool thing is that the wireless signal can be shared with other nearby computers.  According to Josh, he has found a way that, "An attacker can recover the default password from any MiFi device." This is big news because anyone who is involved with wireless ne

Read more

Categories:

Hacking the In-Human Drone

John Kindervag

A while back, I blogged on how researchers have developed tools to intercept streaming video from video conferencing systems and IP surveillance cameras. Today I feel so prescient with the Wall Street Journal's article on how Iraqi insurgents are using similar software to intercept the video feed of Predator Drones.

030813-F-8888W-006

The article has the catchy subtitle "$26 Software Is Used to Breach Key Weapons in Iraq; Iranian Backing Suspected." It discusses how the insurgents are using the software to intercept the Drone's unencrypted video stream, "potentially providing them with information they need to evade or monitor U.S. military operations."

According to the article, the military has been aware that this type of attack was posssible for some time: "The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said."

Let's hope that the Pentagon has learned what happens when you ass-u-me things...

Categories:

Hathaway resigns … another one bites the dust

Khalid Kark

Khalid Kark

Hathaway joins a distinguished group of highly respected and accomplished people who have quit the position of Cybersecurity Czar. She wasn’t even the actual Cybersecurity Czar, she was just the acting one, but it appears even that was too much to take for her. She cited personal reasons for resigning, but media reports suggest a more plausible reason for resigning – frustration at “spinning her wheels” and not being able to accomplish anything. Sounds familiar, doesn’t it. Whether you are a Cybersecurity Czar or a CISO, the challenges for this position are very similar. 

Read more

Is IT Risk Management Compatible With ERM?

Chris McClean

Chris McClean

Every month or so, news events (attacks on government sites, massive privacy breaches, etc.) provide a ‘wake-up call’... a proof point used by vendors and practitioners alike that protecting our national and corporate information assets has never been more critical. On occasion we even see these incidents yield promises of action, for example the anticipated appointment of a US Cybersecurity Czar, which my colleague Khalid Kark discusses here

But in spite of these warnings, my conversations with enterprise risk and IT risk professionals still reveal many disconnects, including that IT risks are not measured consistently with other enterprise risks. In addition, many IT risk professionals do not see their biggest risks showing up on the corporate risk register.

Read more

Cybersecurity Czar – Where art Thou?

Khalid Kark

Khalid Kark


Bill Brenner at CSO recently wrote an interesting piece highlighting the urgency of having a cybersecurity leader. Although I do not agree with him that the simple DDOS attacks on government Websites could have been prevented by having a Cybersecurity Czar, I do agree with him that we need a cybersecurity leader – now!  


We all rejoiced when President Obama ordered a 60 day cybersecurity review shortly after taking office. We were all excited when, on May 29th, a report summarizing the findings of the cybersecurity review was released and the president declared cybersecurity as a national security priority for his administration, and a personal goal for him.

Read more

What would you do if you knew your network only had a week to live?

John Kindervag

Crank-defib 
 

Read more

Categories:

Blue Coat: Creating An Economic Advantage For Users In 2009?

John Kindervag

John Kindervag

Last week, Blue Coat gathered analysts in New York City for its Application Delivery Network Briefing Event to showcase its newest offerings, some of which are not yet released, and give the analyst community an update on where things stand following the company’s acquisition of Packeteer, completed in June of 2008.

Long story short? The vendors’ roadmaps have merged and it seems Blue Coat is doing a solid job of integrating the visibility and deep traffic inspection messages of the PacketShaper products with its caching, optimization, and security messages. Prior to the Packeteer acquisition, while Blue Coat offered a solid secure gateway and caching story, the true level of traffic visibility and optimization it could provide was limited.

Read more

Big News for Check Point Firewall Customers

John Kindervag

John Kindervag

Today, Check Point Software Technologies, one of the old guard in the world of information security, announced they are purchasing Nokia's security appliance business. This is welcome, if late, news to Check Point's customers who use Nokia hardware.  For many years, Nokia was the de facto hardware platform for deploying Check Point firewall software.  Check Point/Nokia shops have been struggling for months to decide how to respond to Nokia's announcement that they would rid themselves of this troublesome (think non cell phone) business.  For customers with sometimes hundreds of Nokia appliances, the fear of potentially unsupported hardware, or of a big firewall replacement project, were equally disturbing.

This new agreement spawns a couple of interesting questions: 

Read more