Derrick Coston, CISA, CISSP, GIAC (Daily Blog)

Although we are taking a break from our workplaces, Cyber Security professionals cannot let out guard down.  Many of us have home equipment systems in place to allow us to do what we do and that is to keep protecting our organizations.  As the COVID-19 outbreak threatens to overload the healthcare system and the global economy, it’s also having a powerful impact on the security of businesses and individuals.

David has a identified that although most of the world is sheltering in homes, hackers have not decreased their attacks.  In fact, the attacks have increased.

Clich here to see what ZDNet has released regarding the latest news on the intersection of cybersecurity and the COVID-19 pandemic.

When we recover and leave our homes and go back to work places, we may see that we now have a new pandemic to address and that is an online pandemic that can also bring the world to its knees.

The world is counting on us to do our part or we may resolve one issue but have a harder time recovering from a cyber pandemic.


Derrick Coston, CISA, CISSP, GIAC

It’s amazing to see on a weekly basis, that organizations are still not taking steps in teh right direction to protect information that it has on its customers and employees.  Kacy Zurkus identified a troubling gap in her article “Nearly Half of US Orgs Not Ready for CCDA”   Despite how there was a push by organizations, about a year or so ago, to be compliant with the EU General Data Protection Regulation (GDPR), there now appears to be a less push or concern.  Is it because of the ability to enforce compliance.  Well Politico has identified an alarming fact in their article “How one country blocks the world on data privacy”  The GDPR is the world’s toughest standard for data privacy. But nearly a year later, its chief enforcer has yet to take a single action against major tech firms like Facebook and Google.  I applaud the State of California for their efforts, however, will the state be able to use its power to enforce compliance?  On paper it sounds great, but in reality, political statements can be made, but true enforcement will very interesting to watch.  It reminds me about 15 years ago when health care facilities were required to be compliant with the HIPAA Security Rule.  However, the enforcement arm, the Center for Medicare and Medicaid, really did not have much enforcement powers.  If you look at the majority of data breaches, the healthcare industry leads the pack.  Hopefully Information Security Professionals will again take their roles and responsibilities serious and do their part.  Since the ultimate decision resides above most information security pay grades, the real test will be at the “C-Level”.  Time will tell.  California’s Consumer Privacy Act (CCPA) will be the test in United States.  Which company will be first to experience true sanctions or ramifications for failure to comply with the CCPA.  Especially knowing that over half at this time are not compliant.


Derrick Coston, CISA, CISSP, GIAC

Are we really keeping up with the latest threats. Bradley Barth’s state it elearly:  The FBI’s Internet Crime Complaint Center (IC3) received nearly 352,000 complaints related to cybercrime activity that collectively was responsible for $2.7 billion in losses, according to the agency’s 2018 Internet Crime Report (2018 Internet Crime Report). I enjoy how we check the boxes regarding cyber security awareness.   When you read the report its clear that we are not doing a good job helping others understand the cybersecurity security landscape.  Month after month, we see what’s happening, but until it hits home, I guess we now immune to the threats.  I wonder for those who have had a breach what they thought about the threat landscape before they were attacked?  Enjoy the report.  It really says alot.  Combine it with other reports and its obvious that we are all missing the mark.  Whats the solution?

Derrick Coston, CISA, CISSP, GISA

Organizations are still not taking the threat of third party vendor compliance serious.  Many organizations brush off third party risk and put up a facade regarding how they are truly assessing third party risk.  I bet if more organizations were honest or participate in the study, the results will be more alarming. ESentire published an article entitled “How to Guard against Third-Party Risk to the nth Degree“, which shows how  Spiceworks surveyed 600 IT and security decision-makers across a mix of industries and company sizes and identified how serious as well as the challenges facing organizations regarding third party risk.  Add this to the lack of doing proper internal cyber security risk management, and you can see it now if, but when we will see another major cyber security breach.

Derrick Coston, CISA, CISSP, GIAC

This is one of the first analysis I have seen regarding the 2018 Cyber Security Breaches.  BakerHostetler’s Security Incident Response Report, is a step in the right direction as we look differently at how we improve our cyber security going forward.  I am sure more analysis are coming.

However,  Help Net Security identified that a lack of understanding of the need for business and technology resilience among other leaders across an organization was identified as a key factor in pressuring CIOs and CISOs to make compromises in their efforts to maintain resilience against disruption.

This article shows the ongoing struggle CIO and CISO, face when determining how to balance business needs against Cyber security requirements.

The saga continues.

Derrick Coston, CISA, CISSP, GIAC

I have always had my issues with Sales Teams.  CNBC reports that Cyber Security Vendors are driving the hacking new cycle.  Its a shame  because those of us who are consultants and trying to ensure that organizations and people stay aware of the Cyber threat landscape, we have some exploiting it.  This article is interesting because as I try to find important information to share with those in my sphere of influence.  My only concern with this article is that it states that “breaches that actually cause damage are relatively rare. As a result, vendors often try to make a big deal out of minor breaches that don’t expose important company or customer information.”  I disagree with this because they fail to address the actual breaches that were made public.  Privacy showed that in 2018, there were 828 documented breaches totaling over 1,371,001,709 confidential data records that were breached or exposed.  This number is higher because were were a large number or breaches where the record count was unknown, which is a different issue and concern that I have.  Statistics can be manipulated and hopefully those who are concerned with cyber security, they analyze the type of breaches, conduct a through risk assessment and identify try threats and vulnerabilities in their environment and apply the appropriate controls to mitigate the risk that could impact their environments.