By now, most of the world has heard about the alarm pertaining to a zombie alert in Lake Worth, Florida. Do we think that zombies were getting their day in the sun, or could it possibly be that whomever was responsible for writing the power alert application (or for testing it) was in some sort of zombie state at the time?
Neighbors, babysitters, handymen, even family members; your backyard, upstairs deck, even your own front door…
Statistics show the vast majority of burglaries and theft, especially identity theft, are perpetrated by a household acquaintance or family member. The US Department of Justice says that “Offenders were known to their victims in 65% of violent burglaries; offenders were strangers in 28%.” Similarly, any Google search yields countless articles listing front doors, backyards, and ground floor windows as the most common points of entry for burglars.
In Part One of my blog series aimed at breaking down each section of Online’s security policy, we looked at some general best practices surrounding the development of a security policy. This included answering the question of “why develop a security policy?” and went into detail about developing the scope of content contained within. Part Two analyzed the organizational roles and responsibilities needed to implement an effective security policy. Now let’s take a look at how Electronic Communication plays into an effective policy.
In Part One of my blog series aimed at breaking down each section of Online’s security policy, we looked at some general best practices surrounding the development of a security policy. This included answering the question of “why develop a security policy?” and went into detail about developing the scope of content contained within. Now let’s take a look at the roles needed to implement an effective policy.
The intercom at the airport speaks the truth as it periodically repeats the mantra “Security is Everyone’s Responsibility”. If security is everyone’s responsibility then even the best written security policy is nearly worthless if it doesn’t include a section pertaining to roles and responsibilities.
Earlier this week a new spambot emerged, targeting no less than 711 million email addresses. Basically, the spambot delivers malware called Ursnif into the victim's inbox and is capable of stealing personal information such as login details, passwords, and credit card data.
The name of this spambot, “onliner”, is a touch disappointing, a bit ironic, and of course has no relation to us whatsoever. At Online, our team (our employees) are known as Onliners.
The PCI Security Standards Council sent out a communication to all Qualified Security Assessors (QSAs) this past week saying they are raising the number of industry certification requirements for QSAs from one certification to two (effective 2019). While I have been in strong favor of almost everything that the council has done to evolve the PCI standard and program, I have concerns with this change for QSAs and what they will mean to our clients.
Online infuses the right amount of security into everything we do – I like to refer to this approach as our “special sauce.” Security is not just important to our Risk, Security, and Privacy (RSP) practice (which lives, breathes, eats, and sleeps security), it’s important to our entire company. We have built security in to our development processes, our service management practice, our customer/digital experience offerings, our internet of things (IOT) offerings, and our cloud-based (AAS) service offerings.
In the course of performing hundreds of risk and PCI assessments, we occasionally come across a client who is running an obsolete version of a system, application, or device. Normally, when a system has reached “end-of-life,” it is no longer supported. On the surface, this would appear to be a security risk and also a violation of PCI DSS requirement 6.1: “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.” Organizations must determine the ideal strategy to address risk associated with using obsolete systems/applications. Short of replacing/upgrading the offending system, there may be more creative means to offset this risk.
Someone once asked Willie Sutton why he robbed banks, to which he responded, “that’s where the money is.” With the increased sophistication and ease of ‘scalable exploitivity,’ ransomware is not only here to stay, but it will continue to become the most pervasive threat to our systems, networks, and data. The latest WannaCry ransomware that hit thousands of computers last week was the perfect storm, formed by taking advantage of a known vulnerability and combining it with human fallibility, which made it wildly successful and most likely yielded a bankload of money for the attackers.
As Virtual CISO and Security Trusted Advisor to many of our clients, we are often asked “what framework would you use to perform a security assessment?” Since this question is asked so often we wanted to provide a primer to help you select the right security assessment framework or standards. Keep in mind, there is no ‘one size fits all’ answer and it is highly possible that you need to use more than just one framework in order to get a complete picture. The reality is that the answer to the question will also change with time as the nature of your business continues to evolve, along with business, regulatory, and risk landscapes.