Derrick Coston, CISA, CISSP, GIAC

Are we really keeping up with the latest threats. Bradley Barth’s state it elearly:  The FBI’s Internet Crime Complaint Center (IC3) received nearly 352,000 complaints related to cybercrime activity that collectively was responsible for $2.7 billion in losses, according to the agency’s 2018 Internet Crime Report (2018 Internet Crime Report). I enjoy how we check the boxes regarding cyber security awareness.   When you read the report its clear that we are not doing a good job helping others understand the cybersecurity security landscape.  Month after month, we see what’s happening, but until it hits home, I guess we now immune to the threats.  I wonder for those who have had a breach what they thought about the threat landscape before they were attacked?  Enjoy the report.  It really says alot.  Combine it with other reports and its obvious that we are all missing the mark.  Whats the solution?

Derrick Coston, CISA, CISSP, GISA

Organizations are still not taking the threat of third party vendor compliance serious.  Many organizations brush off third party risk and put up a facade regarding how they are truly assessing third party risk.  I bet if more organizations were honest or participate in the study, the results will be more alarming. ESentire published an article entitled “How to Guard against Third-Party Risk to the nth Degree“, which shows how  Spiceworks surveyed 600 IT and security decision-makers across a mix of industries and company sizes and identified how serious as well as the challenges facing organizations regarding third party risk.  Add this to the lack of doing proper internal cyber security risk management, and you can see it now if, but when we will see another major cyber security breach.

Derrick Coston, CISA, CISSP, GIAC

This is one of the first analysis I have seen regarding the 2018 Cyber Security Breaches.  BakerHostetler’s Security Incident Response Report, is a step in the right direction as we look differently at how we improve our cyber security going forward.  I am sure more analysis are coming.

However,  Help Net Security identified that a lack of understanding of the need for business and technology resilience among other leaders across an organization was identified as a key factor in pressuring CIOs and CISOs to make compromises in their efforts to maintain resilience against disruption.

This article shows the ongoing struggle CIO and CISO, face when determining how to balance business needs against Cyber security requirements.

The saga continues.

Derrick Coston, CISA, CISSP, GIAC

I have always had my issues with Sales Teams.  CNBC reports that Cyber Security Vendors are driving the hacking new cycle.  Its a shame  because those of us who are consultants and trying to ensure that organizations and people stay aware of the Cyber threat landscape, we have some exploiting it.  This article is interesting because as I try to find important information to share with those in my sphere of influence.  My only concern with this article is that it states that “breaches that actually cause damage are relatively rare. As a result, vendors often try to make a big deal out of minor breaches that don’t expose important company or customer information.”  I disagree with this because they fail to address the actual breaches that were made public.  Privacy Rights.org showed that in 2018, there were 828 documented breaches totaling over 1,371,001,709 confidential data records that were breached or exposed.  This number is higher because were were a large number or breaches where the record count was unknown, which is a different issue and concern that I have.  Statistics can be manipulated and hopefully those who are concerned with cyber security, they analyze the type of breaches, conduct a through risk assessment and identify try threats and vulnerabilities in their environment and apply the appropriate controls to mitigate the risk that could impact their environments.

Derrick Coston, CISA, CISSP, GIAC

Rami Sass, CEO, WhiteSource has found that for the past two years have seen an explosion in the number of software vulnerabilities being published, jumping from 6,447 in 2016 to 14,714 in 2017. Seeing as 2018 beat out the previous year with 16,521 CVEs reported, we should prepare ourselves for plenty of patching ahead in 2019.  Despite this, he notes that we need to remember that even as a rise in CVEs can be eternally frustrating and means more remediation work, it is still far more preferable to deal with these vulnerabilities early before they are exploited by attackers.See his article here.