Author Archives: Hilary Tuttle

About Hilary Tuttle

Hilary Tuttle is the managing editor of the Risk Management Monitor and Risk Management magazine.
Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

Top Obama Administration Officials, Law Enforcement Reach Out at RSA Conference

Posted on by
loretta lynch at RSA

Attorney General Loretta Lynch addresses RSA Conference 2016

SAN FRANCISCO—Many of the Obama administration’s top brass are here in force, addressing some 40,000 practitioners from every part of the technology and information security industry at the annual RSA Conference. Set against the backdrop of the ongoing fight over between Apple and the FBI encryption and backdoors, the tension ebbed and flowed during sessions with Attorney General Loretta Lynch, Secretary of Defense Ashton Carter, and Admiral Mike Rogers, U.S. Navy Commander, U.S. Cyber Command, and director of the NSA. While many speakers will not address the issue directly, the subtext is clear throughout the show, particularly as the public battle brings considerable interest to the privacy and security issues the RSA has centered on for 25 years.

Indeed, in his keynote address, RSA President Amit Yoran called law enforcement’s current stance on encryption “so misguided as to boggle the mind.” Brad Smith, president and chief legal officer of Microsoft, chimed in as well, asserting that we cannot keep people safe in the real world unless we can keep them safe in the virtual world. He lauded Apple and pledged that the tech giant would stand with Apple in its resistance.

Ash Carter at RSA

Secretary of Defense Ashton Carter in Conversation with Ted Schlein of Kleiner Perkins at RSA

While the gravity of the issue and the massive potential impact for many in the sector are boggling many minds here, the administration officials’ sessions also offered more broadly positive comments for businesses outside the tech sector. The conciliatory tone Lynch and Carter often struck centered on the critical need for partnerships between technology and government. They tried to emphasize the ways the administration is reaching out to private entities, both within Silicon Valley and across corporate America at large.

According to Sec. Carter, for example, the United States Cyber Command has three core missions: defending the Department of Defense’s network; helping American companies, the economy and critical infrastructure; and engaging in offensive cyber missions. The second is a key pillar, he said, as the DoD must keep in perspective that the strength of American entities is the strength of the nation. From threat intelligence to the Defense Innovation Unit Experimental he announced yesterday, to be helmed by Google’s Eric Schmidt, Carter believes there is considerable need for industry to engage with government on cyberrisk, and both parties have valuable assets to contribute. “Data security is a necessity, and we must help our companies harden themselves,” Carter said. Indeed, he wants both help for and from the industry. In closing, he said, “We are you. You pay us. We represent you and our job is to protect you, and we’d love to have your help.”

He also noted that the DoD is trying to learn a bit about managing its cyberrisk from the commercial sector’s best practices. “We do grade ourselves and we’re not getting good grades across the enterprise,” Carter told reporters Wednesday, according to Defense News. “I have these meetings where I call everyone in and we have these metrics which tell us how we’re doing [and] if you don’t score well, that is evident to the Secretary of Defense at those meetings.

“We don’t assume for a minute that we’re doing a perfect job at this,” he added. “That’s the whole reason for me to be here and the whole reason for me to be engaging with this community here at this conference.”

Carter also announced that the Department of Defense will be hosting “Hack the Pentagon,” a bug bounty program offering white hat hackers cash for finding and reporting vulnerabilities in the Pentagon’s websites. Many companies have been offering these programs to try to discover their exposure in a controlled setting, without the risk of reputation damage, personal information exposure and business interruption that accompany an unknown hacker finding them instead. Carter called these a “business best practice” to gauge preparedness.

Federal law enforcement also has a notable presence at RSA and is making a pronounced effort to reach out to businesses regarding cyberrisk, threat intelligence, and managing a cyberattack. Indeed, in one session Tuesday, panelists from the Department of Homeland Security, FBI and the White House urged a call to action for businesses to get serious about proactively building bridges with law enforcement and to make use of the many resources the administration is trying to activate to help private industry fortify against cyber threats. The government is working to make it easier for companies to turn to it for help, they said, and attitudes are shifting to more consistently recognize and respect victimized businesses and minimize business interruption.

Some in the audience expressed skepticism, such as one man who seized upon the Q&A portion of a session on government departments’ specific roles in fighting cyber criminals. He asked how the government can be trusted to help industry when it cannot protect itself. But corporate entities should be taking note, particularly of the services available. While many hesitate to share threat intelligence or even successful attacks, Eric Sporre, deputy assistant director of the FBI’s cyber division, stressed that FBI Director James Comey has made it a directive for FBI field offices to develop relationships with local businesses and to treat businesses as crime victims, not perpetrators. In responding to attacks, he noted, the Bureau sometimes even brings in victim services to holistically approach aiding in the investigation and recovery process.

Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, also highlighted the preventative measures his department offers companies, including personal risk assessment services. In some cases, chief information security officers and other executives engaged in cyberrisk management functions have been getting DHS assessments, using them as a tool to drive investment or otherwise sell cyber upwards with the board or C-suite of their organizations.

Boards Are Failing at Cyber, New Report Finds

Posted on by

SAN FRANCISCO—Information security executives are telling boards what they want to hear, not what they need to hear, and boards are frequently not asking the right questions or understanding the responses, according to a report released today by Bay Dynamics at the RSA Conference.

“The report reveals that both the board and security professionals are not doing their jobs when it comes to security reporting,” said Feris Rifai, co-founder and CEO at Bay Dynamics. “The board isn’t holding IT and security executives accountable for providing accurate, traceable and actionable information and security executives are failing to report information that is accurate, traceable and actionable. Both parties must do better if they want to make the right decisions that minimize their cyberrisk”.

While the majority surveyed say they know what to present to the board, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cyber security threats. This may be in part because of the ongoing struggle to fully understand and measure cyberrisk exposure and the costs of failure.

buy doxycycline online familyvoicesal.org/resources/images/jpg/doxycycline.html no prescription pharmacy

Just over half of boards expressed a strong preference for qualitative information, while 38% have a preference for quantitative data. To truly make appropriate decisions, however, the board must focus more on quantitative information in context, meaning qualitative information must be wrapped around quantitative information, the report explained.

Regardless of what information they provide, only a third of IT and security executives believe the board understands the information they are given about cyber threats. In turn, only 39% think they are getting the support they need from the board to address threats. Some other major issues these executives identified in their reporting included:

cyberrisk information reported to board

While 36% of boards want recommendations for additional spending and 34% want recommendations to reduce cybersecurity spending, boards are getting little data about the specifics of information security investments. The most common type of information reported about cybersecurity issues is known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data loss incidents, Bay reported, while information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

cyberrisk information reported to board

Reporting is also relatively infrequent for such a rapidly evolving high-risk exposure, with most executives only presenting to the board quarterly, and 18% even less frequently.

reporting frequency

Looking forward, Bay Dynamics had the following suggestions for how both boards and IT and security executives can improve:

Issues the board must address:

  • The board is not doing its job when it comes to effectively managing cyberrisk.
  • Boards of directors must hold IT and security executives accountable for providing accurate, actionable information about their cyberrisk to help the board make effective decisions about their cybersecurity programs.
    buy mobic online familyvoicesal.org/resources/images/jpg/mobic.html no prescription pharmacy

    Boards cannot make decisions about what they consider acceptable risk if they don’t have actionable information.

    buy tenormin online familyvoicesal.org/resources/images/jpg/tenormin.html no prescription pharmacy

  • Boards must demand actionable information from IT and security executives about their cyberrisk since the board is responsible for the company’s risk appetite. Strengthening their cyberrisk program begins with the board.

Issues IT and security executives must address:

  • IT and security executives must communicate to their boards more effectively and more completely using quantitative and qualitative information. They should communicate the value of data at risk using numbers that explain what it is and how to take action to protect it.
  • Given that board members in many organizations are typically less technical than the IT and security executives reporting to them, the latter must contextualize the information in order to make it both understandable and actionable.

65% of Businesses Unprepared For Email-Based Cyber Threats

Posted on by

In a recent threat report, cloud email management company Mimecast warned they had seen a 55% increase in whaling attacks over the past three months. As we reported in this month’s Risk Management cover story “The Devil in the Details,” social engineering fraud schemes like whaling (which is phishing that targets higher-profile employees and executives) resulted in a total losses of more than $1.2 billion worldwide between October 2013 to August 2015. According to the Mimecast Business Email Threat Report 2016, released yesterday, IT security professionals clearly recognize the risk, with 64% of respondents in the new saying they see email as a major cybersecurity threat to their business. Yet only 35% feel confident about their level of preparedness against data breaches, while 65% feel ill-equipped or too out of date to reasonably defend against the risk.

buy sinequan online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/sinequan.html no prescription pharmacy

“Our cyber-security is under attack and we depend on technology, and email in particular, in all aspects of business. So it’s very disconcerting to see that while we might appreciate the danger, many companies are still taking too few measures to defend themselves against email-based threats in particular,” said Peter Bauer, chief executive officer of Mimecast. “As the cyber threat becomes more grave, email attacks will only become more common and more damaging. It’s essential that executives, the C-suite in particular, realize that they may not be as safe as they think and take action. Our research shows there is work still to be done to be safe and we can learn a lot from the experience of those that have learnt the hard way.”

Even the most secure companies feel the most at risk of these scams. Of the top 20% of organizations that feel most secure, 250% are more likely to see email as their biggest vulnerability. Those who feel most confident about guarding against the risk are 2.7 times more likely to have a C-suite that is extremely or very engaged in email security. Among the IT security managers who feel most prepared, five out of six say that their C-suite is engaged with email security, Mimecast reports. However, of all IT security managers who were polled, only 15% say their C-suite is extremely engaged in email security, while 44% say their C-suite is only somewhat engaged, not very engaged, or not engaged at all.

The firm also had some insight on best budgeting against the risks of phishing. Those who feel better prepared to handle email-based threats also allocate higher percentages of their IT security budgets toward email security, the firm found, with these IT security managers allocating 50% more of their budgets to email security compared to managers who were less confident in their readiness. Mimecast found 10.4% of the total IT budget toward email security is the ideal intersection between email security confidence and spend.

To reduce the threat of whaling, Mimecast recommends that companies:

  • Educate your senior management, key staff members and finance teams on this specific type of attack. Don’t include whaling in a general spear-phishing awareness campaign—single out this style of attack for special attention to ensure key staff remain vigilant.
    buy biaxin online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/biaxin.html no prescription pharmacy

  • Carry out tests within your own business. Build your own whaling attack as an exercise to see how vulnerable your staff are.
  • Use technology where possible. Consider an inbound email stationery that marks and alerts readers of emails that have originated outside of the corporate network.
  • Consider subscribing to domain name registration alerting services so you are alerted when domains are created that closely resemble your corporate domain.
    buy bactrim online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/bactrim.html no prescription pharmacy

    Consider registering all available TLDs for your domain, although with the emergence of generic TLDs (gTLD) this may not be scalable.

  • Review your finance team’s procedures; consider revising how payments to external third parties are authorized. Require more than single sign-off, or perhaps use voice or biometric approval only with the requestor to ensure validity of the request.

Check out the infographic below for more on business email threats:

mimecast business email threats

Gaining Cyber Confidence With a CISO

Posted on by

Businesses aren’t the only ones struggling to ramp up budget allocations to fortify against cyberrisk.

buy proscar online azimsolutions.com/wp-content/uploads/2023/10/jpg/proscar.html no prescription pharmacy

In his new $4.1 trillion budget proposal, President Obama has asked for billion for cybersecurity efforts, a 35% increase from last year.

buy ivermectin online azimsolutions.com/wp-content/uploads/2023/10/jpg/ivermectin.html no prescription pharmacy

The president directed his administration to “implement a Cybersecurity National Action Plan (CNAP) that takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.” In addition to a cybersecurity awareness campaign targeting both consumers and businesses, the plan calls for government-wide risk assessments, a nation-wide push for a range of better consumer data security measures, and a range of initiatives to attract more and better cybersecurity personnel. Some of these new employees will offer cybersecurity training to more than 1.4 million small businesses, and the Department of Homeland Security is expected to double the number of cybersecurity advisors available to assist private sector organizations with risk assessments and the implementation of best practices.

Obama’s plan also takes a page from the private sector, creating the position of Federal Chief Information Security Officer to drive cybersecurity policy, planning and implementation across the federal government.

Many organizations have begun to see concrete value from adding CISOs to the C-suite. According to a recent study from ThreatTrack Security, companies with a CISO are more confident about the technology they use to combat malware (83% versus 63% at organizations without one). This is particularly notable as only 20% of those surveyed said their defenses against hackers have improved in the past year—about half of those who said the same in 2013.

“Perhaps CISOs have a better handle on what solutions to implement or are better equipped and positioned in the organization to ensure their team has the solutions they need to defend the organization,” the report said.

Organizations with a CISO also feel more confident about their ability to address cyberrisk. When asked if they felt able to personally guarantee the security of customers’ data, 71% of respondents from companies with a CISO said yes, while only 29% could say the same without someone in this role. CISOs are also making a huge impact on breach preparation and incident response. When it comes to having an incident response team or security operations center to identify and respond to cyberattacks, 94% of respondents at organizations with a CISO had these resources in place, compared to just 49% without one. Concerningly, however, the overall number was 80%, 6% lower than in 2013.

buy zestril online azimsolutions.com/wp-content/uploads/2023/10/jpg/zestril.html no prescription pharmacy

When asked how defending their organization against cyberthreats had changed over the last year, 45% of respondents said nothing had changed, while 35% recognized that it has gotten harder to fight cyberrisks.

ThreatTrack Security found CISOs have also boosted corporate compliance with regard to cybercrime, with only 11% of companies failing to report breaches to customers, partners or other stakeholders, compared to 57% in 2013.