Risk Management

Risk Management
If these companies were affected then the foundation of computing could be at risk. If you could manipulate at the hardware layer via the firmware, BIOS, ect then a threat actor could weaponize well below the operating system which brings in to question the integrity of the entire computing stack and everything above it.  The firmware and bios are like the rebar and concrete for a building. If that foundation is weak then the entire structure and anything dependent on it is at risk. We cannot underestimate the potential or the severity of these companies being potentially affected by the SolarWinds hack and what that means for the foundational computing hardware they provide to the world.  What do others think ?  How could this impact your organization ?   Big tech companies including Intel, Nvidia, and Cisco were all infected during the SolarWinds hack - The Verge

Top Answer :

Fraud DetectionFraud Detection

This study hopes to help IT Executives understand current security concerns and effectiveness of solutions being put in place by peers.

0 views
0 comments
1 upvotes
Related Tags
Tis the season to audit the software supply chain Pulse Flash Read We were supposed to be winding down for the holidays. Then again, maybe we suspected that 2020 had one last gut-punch for us. Thanks, ‘SUNBURST’. ‘SUNBURST’ is what FireEye is calling the recent cybersecurity attack that has government agencies scrambling, carried out by an unidentified agent FireEye refers to as ‘UNC2452’. FireEye, with barely contained awe, have described what they’ve uncovered as “...some of the best operational security that FireEye has observed in a cyber attack, focusing on evasion and leveraging inherent trust.” Read the full blog post here, and find FireEye’s GitHub repository on detection and neutralization here. FireEye’s transparency and urgency in sharing what they’d discovered has earned plaudits in the cybersecurity community. FireEye was the first company to detect a compromise in their own system. Once they’d identified the source as a SolarWinds software update, it became clear that this was a big one. Why? Because that same SolarWinds software update went out to hundreds of thousands of customers—including many top US federal agencies.  It’s a nefarious, evil-genius level attack. While gaining access through a classic Trojan Horse approach, the attackers were subtle, sitting within the tech stack and taking their time to learn what credentials were needed to access critical information. Once they’d identified targets and how to access them, they struck, using only the operations that enabled access to function in the first place. It’s ‘the butler did it’, except that the butler was possessed.  FireEye has characterized this attack as a problem in the Software Supply Chain (SSC). I’ve written about this problem previously with regards to open source software, but SaaS sprawl is turning this into a bigger issue. SolarWinds provides broad IT management software—the perfect tools for discovering access credentials. IT has to match its security and risk management in line with every new vendor that makes up that SaaS ecosystem—is each vendor doing everything they can to detect and treat vulnerabilities? Do you trust that new update? (Speaking of which, SolarWinds is urging customers to install their latest, presumably safe, update for the compromised Orion Platform software.) In some ways, Christmas has come early for cybersecurity SaaS. Vendors are filling blog posts with all the ‘lessons learned’ which, strangely enough, are usually resolved by purchasing that vendor's particular threat detection tools. Paranoia pays, especially when that paranoia is justified. What will this mean for cybersecurity in 2021? Will zero-trust finally rise to prominence? Do we need more AI/ML tools to detect those subtle differences in malicious behaviors that mimic normal protocols? One of the scarier aspects of the FireEye hack is that penetration test tools were stolen. If the enemy knows how we fight it, innovation may be key. As details of the attack continue to accumulate like all those holiday chocolates, one thing’s for sure: this won’t be the last we hear of the SolarWinds breach this season. How are you responding to the SolarWinds hack? What does the future of cybersecurity look like to you?

Top Answer : I would say testing Updates on honeypot environment before implementing it. on longer periods.

49 views
2 comments
1 upvotes
Related Tags
What's a greater concern for returning to the office? Comment how you are prioritizing...

Top Answer : The majority of our focus is definitely on the human factors as the technical factors are mostly related to things we had to solve as we went distributed.  We will need some additional technical stuff to support the human factors (eg. scheduling software to limit the # of people in the office at the same time) but solving the human factors of helping people to feel comfortable, ensuring that safety precautions are being followed, etc... are much harder and why it will be a while before we go back.

Is vendor lock-in just an excuse for not wanting to innovate and take risks?

Top Answer : Vendor lock-in is a sales tool. Sellers can use it to frighten a prospect by saying, "Ooh, you're going to have vendor lock-in. Be careful." And in my experience with clients, they are loath to leave something, even when they don't like it, because it's the risk of leaving the thing. It doesn't matter if it's open, or portable, or whatever, it's just that the risks of change are high. And so, are they locked into a vendor or are they locked into risk?

14 views
4 comments
1 upvotes
Related Tags
Do you plan to buy cyber insurance in the next year?

Top Answer :

116 views
0 comments
0 upvotes
Related Tags
How do CISOs get executive buy-in for security risks and requirements?

Top Answer : First is really working closely with our internal customers and understanding those probing questions of, what is it that they're concerned about? We need to better understand what the business is worried about, what type of data and information they want to secure. Then from that perspective then we can say, “okay, well these are the types of controls that will help mitigate those risks and that will enable you to proceed with confidence.” We might have a set of operational metrics that help you from your day-to-day. Those should ultimately feed up or support a business risk that's supposed to be mitigated or provide coverage against. And then, from a board perspective, tying that to a story of what that actually means. Being able to work with the technical teams and be the bridge with the business counterparts. With vulnerability management, articulating how many of our systems are actually protected from being exploited, allows us to see systems that are actively being exploited or targeted, then that's the “so what?” factor that we tie back to when explaining why it's of significance to the board.

Do CIOs ever purposefully hinder innovation in order to prevent risk of failure and protect their own career should things go awry?

Top Answer : I had a CIO say to me recently, when talking about a modernization project, "How can you guarantee me that I'm not going to end up in some trade journal as the next grand failure?" So they agree with the objectives of the project, but there's personal risk in not wanting to be the next magazine article about a huge failure. And the flip side of that, that I run into all the time: CIO comes in, they're there for two years, make some decisions, get a project started, and then they leave. And there isn't enough continuity of leadership in order to see this stuff through. Because it starts getting a little dicey and it's the squishy middle that nobody wants to hang around for.

35 views
8 comments
1 upvotes
Related Tags