Derrick Coston, CISA, CISSP, GIAC

It’s amazing to see on a weekly basis, that organizations are still not taking steps in teh right direction to protect information that it has on its customers and employees.  Kacy Zurkus identified a troubling gap in her article “Nearly Half of US Orgs Not Ready for CCDA”   Despite how there was a push by organizations, about a year or so ago, to be compliant with the EU General Data Protection Regulation (GDPR), there now appears to be a less push or concern.  Is it because of the ability to enforce compliance.  Well Politico has identified an alarming fact in their article “How one country blocks the world on data privacy”  The GDPR is the world’s toughest standard for data privacy. But nearly a year later, its chief enforcer has yet to take a single action against major tech firms like Facebook and Google.  I applaud the State of California for their efforts, however, will the state be able to use its power to enforce compliance?  On paper it sounds great, but in reality, political statements can be made, but true enforcement will very interesting to watch.  It reminds me about 15 years ago when health care facilities were required to be compliant with the HIPAA Security Rule.  However, the enforcement arm, the Center for Medicare and Medicaid, really did not have much enforcement powers.  If you look at the majority of data breaches, the healthcare industry leads the pack.  Hopefully Information Security Professionals will again take their roles and responsibilities serious and do their part.  Since the ultimate decision resides above most information security pay grades, the real test will be at the “C-Level”.  Time will tell.  California’s Consumer Privacy Act (CCPA) will be the test in United States.  Which company will be first to experience true sanctions or ramifications for failure to comply with the CCPA.  Especially knowing that over half at this time are not compliant.

 

Advertisements

Derrick Coston, CISA, CISSP, GIAC

Are we really keeping up with the latest threats. Bradley Barth’s state it elearly:  The FBI’s Internet Crime Complaint Center (IC3) received nearly 352,000 complaints related to cybercrime activity that collectively was responsible for $2.7 billion in losses, according to the agency’s 2018 Internet Crime Report (2018 Internet Crime Report). I enjoy how we check the boxes regarding cyber security awareness.   When you read the report its clear that we are not doing a good job helping others understand the cybersecurity security landscape.  Month after month, we see what’s happening, but until it hits home, I guess we now immune to the threats.  I wonder for those who have had a breach what they thought about the threat landscape before they were attacked?  Enjoy the report.  It really says alot.  Combine it with other reports and its obvious that we are all missing the mark.  Whats the solution?

Derrick Coston, CISA, CISSP, GISA

Organizations are still not taking the threat of third party vendor compliance serious.  Many organizations brush off third party risk and put up a facade regarding how they are truly assessing third party risk.  I bet if more organizations were honest or participate in the study, the results will be more alarming. ESentire published an article entitled “How to Guard against Third-Party Risk to the nth Degree“, which shows how  Spiceworks surveyed 600 IT and security decision-makers across a mix of industries and company sizes and identified how serious as well as the challenges facing organizations regarding third party risk.  Add this to the lack of doing proper internal cyber security risk management, and you can see it now if, but when we will see another major cyber security breach.

Derrick Coston, CISA, CISSP, GIAC

This is one of the first analysis I have seen regarding the 2018 Cyber Security Breaches.  BakerHostetler’s Security Incident Response Report, is a step in the right direction as we look differently at how we improve our cyber security going forward.  I am sure more analysis are coming.

However,  Help Net Security identified that a lack of understanding of the need for business and technology resilience among other leaders across an organization was identified as a key factor in pressuring CIOs and CISOs to make compromises in their efforts to maintain resilience against disruption.

This article shows the ongoing struggle CIO and CISO, face when determining how to balance business needs against Cyber security requirements.

The saga continues.

Derrick Coston, CISA, CISSP, GIAC

I have always had my issues with Sales Teams.  CNBC reports that Cyber Security Vendors are driving the hacking new cycle.  Its a shame  because those of us who are consultants and trying to ensure that organizations and people stay aware of the Cyber threat landscape, we have some exploiting it.  This article is interesting because as I try to find important information to share with those in my sphere of influence.  My only concern with this article is that it states that “breaches that actually cause damage are relatively rare. As a result, vendors often try to make a big deal out of minor breaches that don’t expose important company or customer information.”  I disagree with this because they fail to address the actual breaches that were made public.  Privacy Rights.org showed that in 2018, there were 828 documented breaches totaling over 1,371,001,709 confidential data records that were breached or exposed.  This number is higher because were were a large number or breaches where the record count was unknown, which is a different issue and concern that I have.  Statistics can be manipulated and hopefully those who are concerned with cyber security, they analyze the type of breaches, conduct a through risk assessment and identify try threats and vulnerabilities in their environment and apply the appropriate controls to mitigate the risk that could impact their environments.

Derrick Coston, CISA, CISSP, GIAC

Rami Sass, CEO, WhiteSource has found that for the past two years have seen an explosion in the number of software vulnerabilities being published, jumping from 6,447 in 2016 to 14,714 in 2017. Seeing as 2018 beat out the previous year with 16,521 CVEs reported, we should prepare ourselves for plenty of patching ahead in 2019.  Despite this, he notes that we need to remember that even as a rise in CVEs can be eternally frustrating and means more remediation work, it is still far more preferable to deal with these vulnerabilities early before they are exploited by attackers.See his article here.