Wednesday, March 21, 2018

Facebook, Cambridge Data Compromise Should Not Surprise Consumers

Facebook is receiving bad press due to compromised consumer data by a Cambridge-based analytics firm for political purposes.

Frankly, this should not be news as social media outlets, and free online services (email, vlogs, blogs), use subscribing advertisers to generate their revenue by selling the (supposed to be anatomized) data.  Said data extraction models have been the point of episodes on shows like Netflix's House of Cards. 

Regardless, the sensitive data is supposed to be masked.  And how obfuscated said data is, is often a matter of debate.

So, the questions is, will the US get serious about data privacy now and / or will consumers migrate from these services in droves?


Friday, February 23, 2018

Metrics for Risk Management & Cybersecurity

A book by the name of How to Measure Anything in Cybersecurity Risk articulates enhanced metrics (versus impact & likelihood) via Bayesian models.

However, sans cyber insurers & actuaries, most risk management / cybersecurity functions struggle with the most simple metrics.  That happens due to a lack of technical key risk indicators (KROs) agreed to by the business.

While quantitative analysis can help derive budgeting priorities, most organizations are simply not mature enough to know the qualitative gaps within their enterprise. 

Friday, February 16, 2018

Hypervisor Replication for Virtualization Security

Vendors like Bracket & BitDefender are rolling out virtualization security solutions meant for hybrid cloud deployment to negate rootkits & chip-based exploits (Spectre, Meltdown).

However, comprehensive coverage / support seems limited & you would think that the big cloud service providers (CSPs: AWS, MSFT Azure, GCP) have hardened their own hypervisors already.

VMware's partnership w/ AWS could pave the way for hardened hypervisors that can lift & shift among on / off prem deployments.

Wednesday, December 20, 2017

Smart Home / IoT, Threat & Vulnerability Management (TVM) & B2C Delineation for Vendors

As the smart home becomes a reality ( so does the need to monitor & patch said smart home.

But, who from a vendor standpoint will own that market / responsibility (ISPs, Utilities, Alarm / Physical Security, AV software vendors, separate vendors: Amazon / Apple / Google / Staples: Geek Squad, B2C MSSPs / SOCs)?

The answer will vary depending on the jurisdiction / age of the house, though this wrestling match is sure to come.

So, wait & see how this shakes out, because change is coming for sure.

Thursday, October 26, 2017

Are mobile app reputation services (MARS) legit?

Should enterprises invest in mobile security solutions explicitly for ranking the trust model of some apps?

It depends on what your use cases, requirements, user base, & relevant jurisdictions are.  However, most orgs should not need a MARS solution as MDM, MAM, & even MTD should be able to handle most threats.

Monday, October 16, 2017

InfoSec Leadership: Initaitive = Enablement

Many CISOs & senior InfoSec leaders catch heat for slowing down processing or saying no to new initiatives due to risk.  

However, when InfoSec leadership takes initiative, embeds SMEs into other teams (at least part time), & partners with the business, then enablement will happen as InfoSec has assisted in the design from a grassroots level.

Now shadow IT will most certainly always be around, & projects / business lines need to be agile, but collaboration is possible via proaction.

Wednesday, September 27, 2017

Equifax: Case Study in Poor Leadership

The former CISO of Equifax has been criticized for her lack of STEM academic background but, forgetting anyone's college major(s), the real issue here is the leadership deficiency blatently running up and down Equifax's management team.

Wired paints a grim picture of Euifax's team, and response, as the article should.  At the end of the day, no one wanted to fall on their sword, and now they all are.  Reminscint of the movie Margin Call, executives want to survive to fight another day, but there are ways to do things in the business world and Equifax did anything but that.