Cyber Security: Still Considered Second Fiddle

Cyber security should be considered as one of the main players at the monthly organization board meetings, but still it is considered a collateral duty.  Sure, some firms have a Chief Security Officer, Chief Information Security Officer, etc., but the main function of these positions is to make sure employee and visitor access control is uninterrupted; passwords are assigned; accounts are built; and the other functions of a normal IT specialist at the corporate lowest layer.  Unfortunately even with all the cyber attacks and threats that happen over a million times a day, systems security is STILL considered a back seat function.

Smaller businesses becoming increasingly preferred target for cyber criminals.

There is a good article at WSJ.com that should be an eye-opener to every business in today's digital workplace:

Smaller companies are less likely to grasp the security threat. A 2010 survey by the National Retail Federation and First Data Corp. of small- and medium-size retailers in the U.S. found that 64% believed their businesses weren't vulnerable to card data theft and only 49% had assessed their security safeguards.

Because smaller firms don't have the infrastructure or sophistication in place to deter, defend, or protect against many risks they become the preferred target.  While it is glamorous for cyberbandits to target a big whale to make a name for themselves, computer criminals are becoming more profit driven.  Hackers once would unite under a common statement, with a specific mission.  Now, with the proliferation of overseas cyber hack shops you must contend with criminals united only by greed.

Risk Management: Trust through verification. [Part 2]

This is the part two of Chief's blog on Trust through Verification.  Part one can be found at the link.

Most managers will say that their IT department provides security services. Is this safe?  Those who control all the data, manage all user accounts, have access to all passwords and authentication information, and control what system access users have are the same people you are going to trust to perform your corporate security assessments and posture?  Make a note -- it was reported 83% of all cyber-attacks happen from “internal” sources in 2009.

Risk Management: Trust Through Verification! [Part 1]

This week LT and I will be discussing Risk Management and our mantra, "trust, but verify."  Because of the length of this article we will post it in two more easily digestible segments.

For years people have been harping on the need to protect the data and information they must maintain or produce. Over the past 35 years I have been fortunate to work in this field we are calling “Information Assurance”. I was very lucky as a young sailor to be trained in the proper handling of classified data for the U.S. Navy, NSA, NRO and our National Authorities, and to be honest, I became quite good at it. Back then, we were taught to be vigilant on all aspects of protection and we were taught what information or data was. From the time I woke up in the morning, until the time I went to bed at night, "mum" was the word of the day. “Loose lips sink ships” was continually drilled into our heads, and we were taught what the true meaning of need-to-know was and how to apply it.

SWGDE Releases Quality Assurance and Standard Operating Procedures Manual

The Scientific Working Group on Digital Evidence (SWGDE) recently released a draft model Quality Assurance (QA) and Standard Operating Procedure (SOP) manuals for use by digital forensic laboratories.  In today's economy, where budget dollars are precious, these manuals provide an answer to the dilemma of how the one-person digital forensic practitioner, with limited to no in-house resources, can implement quality practices and standards procedures.  The provide off-the-shelf easily tailored documents which can be utilized to begin the establishment of quality standards and procedures in the performance of digital forensic examinations.

Cyber Attacks heat up in the Medical Field

Here’s a very interesting read about Cyber Attacks against Internet-Enabled Medical Devices.  
This article is spot on and should be a “Red Flag” for any and all healthcare professionals. I’ve been speaking about this threat for years. My concern is that no major government player, (e.g., Health and Human Services, the VA, etc.) is addressing these concerns in the medical field. This critical data preservation and protection falls directly on the shoulders of each medical professional and/or their organization. I find it ironic that (outside of defense) most cyber threats are being conducted against the healthcare and pharmaceutical industry but the concern or urgency is not there from our government and the industry itself.