Posts By :

Jason Christopher

outrunning the bear a cybersecurity assessment boards actually care about

Outrunning the Bear

Outrunning the Bear 1200 628 Jason Christopher
Outrunning the Bear by Jason Christopher Axio CTO

Outrunning the Bear

A Cybersecurity Assessment Boards Actually Care About

by Jason Christopher, Axio Chief Technology Officer

November 5, 2018

Boards and executives are becoming increasingly involved in cybersecurity planning and strategy discussions. This is a marked improvement over the last decade, much of which is due to media-catching headlines and public incidents. But those headlines are a double-edged sword. Now executives not only want to know how their organization is doing with regards to cybersecurity, but also how they compare to their peers.

In my recent Forbes piece, I discuss the usefulness of maturity models and specifically discuss the use of the Cybersecurity Capability Maturity Model (C2M2) and the NIST Cybersecurity Framework (CSF). Both of these bodies of work contain guidance for new and existing programs while also providing a self-assessment methodology for evaluating your organization’s cybersecurity practices. As the former technical lead for the C2M2 and the federal energy sector lead for the CSF, I have been able to see both programs evolve across industry, but they always lead to the same question by executives—“But how do we benchmark across industry?”

There’s no mystery as to why this question comes up—cybersecurity is full of acronyms, terms of art, and is deeply technical. It may not always be obvious what steps to take next. And while maturity models inherently describe how to “crawl, walk, and run,” some organizations may rightfully ask, “do we really need to run right now, or is walking fine for our cybersecurity program?” Well, as the old adage goes, when fleeing from a bear at a picnic, you do not need to be faster than the bear—just the person next to you. Some executives, whether right or wrong, may just want to know if the person next to them is running faster.

At Axio, we believe maturity models have a vital place in program management. But we also understand the power of benchmarking and data analytics. That’s why our Axio360 platform leverages both. Not only can you evaluate your program using either the C2M2 or CSF, but you can also provide valuable benchmarking analytics to board and executives. Combined with the other elements of 360, including cyber risk quantification and insurance analysis, your security program will be equipped with meaningful metrics. We’ve seen clients use our platform to promote budget justifications, hiring additional resources, and getting further executive buy-in on important security and financial controls.

At the end of the day, executives want to know the right thing is being done. Maturity models, and data analytics, can provide that peace of mind. Read more about the C2M2 and CSF and see how these self-assessments can help your program.

biggest data breach in us history

The Biggest Data Breach in US History Just Happened, Now What?

The Biggest Data Breach in US History Just Happened, Now What? 1200 628 Jason Christopher
The Biggest Data Breach in US History Just Happened, Now What?

The Biggest Data Breach in US History Just Happened, Now What?

Suggestions forProtecting Your Credit and Your Identity

by Jason Christopher, Axio Chief Technology Officer

November 3, 2018

Being first is usually thought of as a good thing. Except when it’s not.

Take the recent Equifax data breach, for example. It’s the first of its kind in many ways—not the least of which is its overall impact on the average American—but in no way is this a good thing.

Unless you have been spending time with Gilligan and his fellow castaways lately, you have by now heard of the massive Equifax data breach. While we will undoubtedly learn more about this incident in the coming months, as it now stands over 143 million records may have been compromised. This means that the names, Social Security Numbers, addresses and, in some instances, driver’s license numbers of almost every American adult have been laid bare.

This is a big deal.

If credit card numbers are compromised, they can be changed. The same is not true for your birth date or SSN. Putting that aside for a minute, this means that should your identity be compromised, proving you are who you say you are will be very difficult going forward.

In order to help you, we have compiled a list of actions you can—and should—undertake immediately to protect yourself and your family. We highly recommend that everyone follow these steps. It is additional work, but it could potentially save you years of headaches if your information is ever used against you.

Six steps to staying safe from the Equifax Hack

  1. Obtain your credit report immediately. If you have not requested your free report this year, you are entitled to it. You can use this to track any changes post-Equifax breach
  2. Sign up for free credit monitoring as part of the breach.
  3. Get a security freeze with every credit bureau. This is your best bet at protecting yourself. Pro tip: Brian Krebs has a great guide.Security freezes have been around for years—I personally have leveraged it in the past. While there are minor charges associated with freezing/unfreezing your credit (fees are decided on a state-by-state basis) it’s money well spent. You can also request freezes on your children’s accounts—they may not have been impacted by the incident, but better safe than sorry.Luckily, it’s all a simple phone call. Unluckily, since our financial systems revolve around credit, you’ll need to unfreeze it before you buy a car, house, or perform any other credit check-based function.For easy reference, here are the numbers to call. Make sure you call all three.
    • TransUnion: 1-888-909-8872
    • Equifax: 1-800-349-9960
    • Experian: 1-888-397-3742
  4. Monitor your financial accounts and change any shared passwords—especially if you have an online account with Equifax. As always, if your accounts offer two-factor authentication, you should have it enabled.
  5. Up your social engineering awareness game. Now that all of your information is in the open, experts are expecting an uptick in social engineering attacks, including phishing emails, texts, and calls.
  6. File your taxes immediately from here on out. With your credit frozen your biggest risk of direct impact is going to come from a fraudulent tax return.Unfortunately, the IRS only requests your SSN to verify your identity—which is now out in the open. If somebody files with your SSN, you will be locked out from filing yourself. This is a common financial attack. Keep in mind that the IRS will never ask for your personal information on the phone—if someone calls you from the IRS, hang up and call your local office to verify any request. To be proactive, you can register with the IRS for additional protection.

Don’t stop now …

Finally, there are a few additional steps you can take to further protect yourself in the unfortunate event that your identity is stolen. For example, if you only have a copy of your birth certificate, look up your County of Birth’s rules on requesting a new one and keep it safe. This will help prove that you are… well… “you” if you are handling fraud. Likewise, if you don’t have a passport, consider getting one. Having both of these can help you get out of a bad situation if you need to prove that you are who you say you are.

SANS recently gave a webinar that covered some of these steps, along with information about the data breach. In the event you missed it, you can listen to the recorded version at your convenience. (We recommend sooner rather than later.)

We hope you find these tips helpful. We want to make sure everyone is safe.

It’s what we do.




Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.