Everywhere we turn, vast amounts of facts, figures, numbers, records and files are being processed, interpreted, organized, structured and presented in a way that turns those data bits and bytes into meaningful information. Putting the raw data into context is what makes information useful for business decisions and underlies many dashboards being developed across the enterprise. Data and information are important components for measurement and, if put into a suitable context, may also become meaningful metrics.
It has been nearly two weeks since the disclosure of the Spectre and Meltdown vulnerabilities. Here at Axio, we have been quietly monitoring the research community’s discussions about the severity of these vulnerabilities as well as user experiences in applying mitigation measures to fix the issues.
Ever since the Federal Energy Regulatory Commission approved mandatory cybersecurity standards for the nation’s grid, self-proclaimed gurus and experts have been making a headache of things. The Critical Infrastructure Protection (CIP) standards are one of the few compliance requirements that can monetarily penalize asset owners/operators for poor cybersecurity hygiene. And all the cool kids want to be CIP “ninjas.” But how do hiring managers, engineers, or IT peers know that the person they are talking to is really a CIP master?
In February 2014, the US National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF), as directed from Executive Order 13636. Later that year, Congress passed the Cybersecurity Enhancement Act and solidified NIST’s role with critical infrastructure owners and operators, through support and facilitation of cybersecurity risk frameworks. Over the past three years, NIST has held multiple workshops and collected comments across industry, academia, and government agencies.
In today’s modern and dynamic environment, the audit profession must evolve continuously and synergistically with the business and technology changes that occur every day.
I am writing to give you the skinny on KRACK, the attack, and to provide some of the “facts” along with some recommendations for what to do now. The bottom line is that your devices ARE vulnerable to this newly discovered attack. Practically every WiFi enabled device is affected. Computers and mobile devices will likely get updates in the near future, though IoT and embedded devices may be a different story. You will want to update your devices as vendors release patches. You may also consider getting in compliance with your backup policies now to save frustration later.
This past summer we witnessed various blue-chip firms like Maersk, Merck, FedEx and Mondelez, none of whom likely anticipated the reality of a major cyber event, all declare major impacts on operations and in some cases a resulting impact of hundreds of millions of dollars in losses. The leaves are now falling and so are the executives as Equifax, with more almost certainly on the way, compensation clawbacks being discussed, and years of litigation ahead. Most recently we’ve seen Deloitte suffer the exact fate that it proudly attempts to help thousands of clients avoid. While all of these companies are different, they likely share a common thread of investing an incredible amount of money in security technology, employing many capable security professionals, and thinking that their losses would be insured. Does anybody still believe that the current cybersecurity paradigm is working?
Unless you have been spending time with Gilligan and his fellow castaways lately, you have by now heard of the massive Equifax data breach. While we will undoubtedly learn more about this incident in the coming months, as it now stands over 143 million records may have been compromised. This means that the names, Social Security Numbers, addresses and, in some instances, driver's license numbers of almost every American adult have been laid bare.
In the wake of advanced cybersecurity attacks, this Executive Order prioritizes the importance of our nation’s critical infrastructure. Beyond the provisions for a robust national security program at federal agencies, the EO refocuses on the NIST Cybersecurity Framework. We have applied this framework to dramatically improve the cybersecurity posture of countless critical infrastructure organizations, so we know it is tested and well proven.
Most articles questioning the viability of the product are usually centered on denied claims from types of insurance policies that were not designed to cover emerging cyber risks, or written by folks whose knowledge of actual policy language hearkens back to earlier generation policies that sometimes contained strict stipulations about maintaining consistent levels of security.
Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).