My recent ISACA Journal article discusses what every chief information security officer (CISO) must know about Secure Shell (SSH) key management. This is a topic that keeps me awake at night and should be of major concern to the whole audit community.
In short, SSH is a tool for systems management, automation and file systems, and it is used in every data center in every major enterprise. It introduced a new authentication mechanism based on cryptographic keys, called public key authentication. Unfortunately, in the default configuration, OpenSSH allows any user to provision new credentials for themselves and their friends, and these credentials never expire—not even when the user’s account is removed if the credentials have been added to a service account.
A study in 2016 found that 80% of the more than 500 chief information security officers (CISOs) surveyed consider privileged access management (PAM) a significant topic, and a number of them have already implemented specific PAM solutions. In general, these solutions try to attain the following goal(s):
Over the course of a variety of implementation projects, we found that implementing PAM is not only a question of technical functionality; a successful PAM solution, in fact, requires a comprehensive framework comprising the following building blocks:
We are living in a digital world where a staggering number of data breaches have resulted in the theft of personal data of end users across a broad spectrum of sectors, such as financial, health care and media. The growing adoption of the cloud, mobile devices and social media has resulted in an increase in incidents related to the theft of personal data.
As organizations begin the scramble to comply with the European Union (EU) General Data Protection Regulation (GDPR), there is a dire need to understand its scope and the privacy requirements mentioned in the standard. The regulation is applicable to all organizations that store, process and transmit any personal data related to an EU resident. The GDPR will replace Directive 95/46/EC, which has been the basis of European data protection law since it was introduced in 1995. The regulation will apply to even those organizations that may not have a presence in the EU, but are processing or accessing the personal data of EU data subjects.
Exponential increases in the computing power and availability of massive data sets, among other factors, have propelled the resurgence of artificial intelligence (AI), bringing an end to the so-called AI winter—a bleak period of limited investment and interest in AI research. Commercial deployment of AI systems is fast becoming mainstream as businesses seek to gain deeper customer insights, lower operating costs, improve efficiency or boost agility.
The proliferation of AI raises intriguing opportunities; however, associated risk exists, and it should be considered, as its impacts can result in significant consequences. My recent Journal article provides practical strategies to mitigate 3 crucial risk factors associated with the commercial adoption of AI:
While we become more and more connected and dependent on technology, we also become more and more vulnerable. Most organizations spend a large amount of resources defending against the outsider threat, but what about the insider threat? The insider threat can be just as costly and devastating as the outsider threat, but how do you control and monitor the people who must have access to the systems and data that you are trying to protect? Do we as cyber security professionals really understand what options we have when dealing with an insider threat? Here are some methods to mitigate the insider threat:
Which methods are used and how they are used is dependent on the organization. There are other factors that affect the method used, such as budget, amount and types of data, importance of the data, and leadership buy in. The way we deal with the insider threat may vary, but it is a threat that each organization must understand and mitigate.