I read an interesting article the other day about a talk at DEF CON – Thermostat Ransomware: A Glimpse into the Future of Crime in Cities It was about how the speakers did a proof of concept of a ransomware infection of a smart thermostat. My first reaction (as a geek) was, “Cool!” Then I started…
DetailsIn this three-part series, Academic Health care CISO Mitch Parker shares his insights on ransomware, incident response and best practices for building a world class prevention program. Ransomware has been the buzzword du jour for the past year in computer security. This mostly unsophisticated attack type uses deception and already-existing means of communication to destroy…
DetailsNo network is impenetrable, a reality that business executives and security professionals alike must accept. The traditional perimeter focused approach to cybersecurity has often failed to prevent intrusions, especially in an application-focused paradigm. While prevention is crucial, timely incident detection of anomalous behaviors for data ex-filtration are key. Continuous monitoring assumes the attackers are already…
DetailsInformation is at the heart of today’s modern businesses, which is why now, more than ever, security professionals need to take a proactive approach to security to protect this valuable asset. The first step to defining your security strategy is to determine how much your organization should be investing in security. To make this determination,…
DetailsIn this series, Grace Crickette provides C-Level executives a comprehensive overview of cyber insurance, while addressing business impacts and offering best practices for implementing a risk-management strategy that includes a cyber-liability policy. Part One Part Two Part Three: Risk Management and Insurance Basics Insurance and Risk Management Basics Insurance is just one tool in the Risk…
DetailsAs the 2016 Republican and Democratic National Conventions are about to begin, Security Current has challenged me to reflect on an assignment I was given when I was an IT security executive at a major cable, telecommunications and Internet Service Provider. Over four years ago, I was given the opportunity to build from the ground…
DetailsRead Part One All Infrastructure and the NIST Framework. In this series I will take a close look at the Framework for Improving Critical Infrastructure Cybersecurity which NIST first published in February of 2014. Is that news? No, of course it isn’t. In fact, deterrence (fear) may seem like an odd concept for cybersecurity. Arguably, except…
DetailsOne of the most useful things to me in trying to secure an enterprise like Columbia University is information, and the more information, the better. This means that for most of the time that I am not in meetings, I sit and read. Most of my input overload comes in the form of emails, approximately…
DetailsAlthough information systems logs have been around since the early mainframe days, the concept of collecting and analyzing logs for security purposes is still a relatively new concept. From my limited research, the term SEM (Security Event Management) was pioneered by a small company called E-Security in 1999. SIM (Security Information Management) or SIEM (Security…
DetailsMore and more devices are being Internet-enabled daily. To securely drive an organization’s digital strategy, CISOs need to better understand business and new technologies across groups within the enterprise. It is critical to learn how to create value from their data, and understand technical capabilities for the whole business, not just in the IT domain,…
DetailsEach infrastructure is critical to someone. Go ahead: ask a CIO if they are in charge of something other than “critical infrastructure” and see what they say. In fact, the increasing criticality of all aspects of infrastructure underlies all our assumptions about security and privacy. This article is the first in a series where I…
DetailsMy friend Randy Marchany tweeted a link to an article “Millennials Value Speed Over Security, Says Survey” that started me thinking about the apparent conflict between speed and security. If you google “Agile software development,” you will see a Wikipedia page, which extensively covers the topic. “Agile software development is a set of principles for software development in…
Details