“What could cause a digital Armageddon?” That is a popular question to pose to information and cyber security professionals, and when asked, I don’t hesitate: Quantum computing.
While the principles of quantum computing are certainly complex, at a high level, the risk from quantum computing can be understood fairly quickly. Unlike a digital computer bit, which can only be a zero or one, a quantum bit, or qubit, can be a zero, one, and everything in between – all at the same time. For those who are not quantum physicists, this can be mind-blowing, but the result is that a quantum computer can offer such a huge speed-up to solving certain problems, that some problems previously thought to be nearly impossible to solve may soon be solved.
For instance, it isn’t a question of if, but when, today’s cryptography that protects the Internet will be broken. Some experts have said that this is likely to occur in the next 3-7 years – it’s just a matter of having enough qubits, and it will likely take 100 to 300 qubits to fuel a quantum computer powerful enough to do this. Working quantum computers with fewer qubits already have been developed.
In addition to governments like the United States and China, today, there are major companies – IBM, Google and D-Wave – that are pursuing quantum computing. D-Wave already has quantum computers available for purchase commercially (including one with 2,000 qubits), but its systems are primarily useful for solving optimization problems, rather than for general purpose, and are not suitable for breaking cryptography. IBM is working on a general-purpose quantum computer that likely would be suitable. Earlier this year, IBM announced that it had built a working prototype with a real quantum processor and 16 qubits. Google indicated that it had a prototype with 22 qubits. Money plays a role, as quantum computers must be cooled to almost absolute zero (the temperature of outer space) to operate, making them very expensive and something that only large corporations and governments would be able to afford.
The underlying security of the Internet today is primarily based on the complexity of factoring large semi-prime numbers. There has been a quantum factoring algorithm around for 20 years by Peter Shor that factors semi-prime numbers, but requires a quantum computer to implement. With today’s computers, it would take thousands and thousands of years to factor a large semi-prime, but with quantum computing, that timeframe is potentially slashed to minutes, and even seconds.
Not long ago, Shor’s algorithm was implemented on a small quantum computer with four qubits to quickly factor small semi-prime numbers (like the number 15), and was able to do so in a matter of seconds. If replicated with a future, more powerful quantum computer to handle larger semi-primes like the ones that form the foundation used to encrypt the Internet, the security of the Internet would essentially be broken. This will occur as soon as a quantum computer is available with sufficient qubits.
Post-quantum cryptographic solutions have been proposed. NIST considers quantum crypto breaking a serious enough risk that it has issued a call for papers on the subject, with the deadline upcoming later this month. Experts and scientists have been working to find solutions that can be implemented into the Internet to replace the current method we’re using now – hopefully, before powerful enough quantum computers come out and disrupt the Internet’s security.
Likely because of the complexity of the scientific principles – you need to be a quantum physicist to have a true appreciation for Shor’s algorithm – this topic does not generate nearly as much attention as it should. At this stage, the risk from quantum computing is well-understood by top cryptographers, but by few others. That will certainly change, and I would love to see members of ISACA’s global professional community play a leading role. Information security and business technology professionals, executives and boards should closely monitor the situation, follow how things progress with NIST, and begin giving thought to what could unfold in the coming years.
Ultimately, quantum computing could have staggering implications on our professions, and society as a whole, transforming everything from space exploration to the financial markets.
In the meantime, the next time someone asks you what could cause digital Armageddon, you should not need to hesitate to come up with your response.
Cyber security is now on the agenda in board rooms. The threats and risks in the cyberspace are significant enough to warrant the attention at the highest levels.
In 2017, those conversations often have focused on ransomware. This year, the global community has experienced a large number of incidents related to ransomware. Organizations are anxious to ensure that the necessary approach and countermeasures against ransomware are understood and implemented. Security professionals therefore need to update their knowledge on the subject.
My session later this month at Asia Pacific CACS 2017 – titled “WannaCry? No, Wanna Get Wiser” – discusses the theme of ransomware. The session will introduce the ransomware attack chain or methodology that depicts the steps that ransomwares deploy for infecting targets. Gaining an understanding of the methodology adopted by malware is an essential step toward defeating the nefarious designs of malware.
The session will identify the different stages of ransomware infection. This knowledge is useful in designing the countermeasures to be deployed at different stages of a ransomware attack to counter it. The session also will provide recommendations to build resilient operations and capable organizations to counter ransomware.
The WannaCry attack from earlier this year will provide the perfect backdrop for the discussion.
Author’s note: I am happy to share that my book – Pilgrims In The Digital World – will soon be published and available to book-lovers. The book discusses various facets of technology and the digital world – the opportunities and innovations, the issues, the threats and the response that can make the digital world a safer place. The book, written for both the general reader who does not possess much technical background and also for technology experts, takes a non-technical approach to discussing the larger issues related to technology and the digital world.
Cyber security gets a lot of discussion in terms of small business, but what few outside of the industry know is that many cyber attacks actually take close much closer to home. In fact, thousands of attacks actually occur in the home. Part of the role of security practitioners moving forward can be to educate homeowners and help them protect their households with stronger, more secure solutions.
Hackers target home “security” systems
The entire objective of a home security system is to keep threats out of the home. A security system is designed to be both a deterrent and a defense mechanism. But while most security systems are focused on physical threats – like burglars – the rise of internet-connected systems has created an entirely new risk category. With some basic hacking strategies, cybercriminals can gain access to security cameras, disarm alarm systems, and prey on homeowners and their families.
SimpliSafe and other Internet-connected systems have proven to be able to be manipulated – something that most homeowners aren’t aware of. It’s the job of the security community to be part of the solution and help educate homeowners and customers on the risks, while providing them with specialized guidance that helps them select security systems that are actually secure.
“The impression that I’ve got is that the home security product industry isn’t really actually putting any effort into security, whether it’s because they don’t realize the problem, or they don’t care, is not something I’m going to be able to tell you. It’s not just the SimpliSafe system that’s insecure,” Dr. Andrew Zonenberg, a security consultant, told Forbes. “These people are advertising security products that provide little to no actual security.”
While you may have an obligation to sell and drive revenue for your business, you shouldn’t be doing it at the expense of selling products that have loopholes and deep-seated issues. Believe it or not, there’s a lot of money to be made from telling the truth and establishing yourself as an authority figure in the industry. There are only a few people currently doing this, and you can make a name for yourself by opening up.
James Risley of Security Baron is the perfect example. He’s constantly publishing high-quality content that puts clients first and products second. One topic that he’s really passionate about is the hacking of cameras, which actually happens fairly frequently.
“If you’re looking for a camera, ensure that you’re buying from a company that updates its firmware in response to security flaws,” Risley tells his audience. “Many DIY systems make this a manual process, but more popular cameras like the Nest Cam or Logi Circle work in the background. Also, always update your passwords on your IoT devices as soon as you set them up. Ideally, you want a secure, unique password for each device you own.”
Whether it’s buying a used car or installing a smart security system in a million-dollar home, consumers want to understand the pros and cons of purchases and appreciate the transparency they receive from vendors. Be a part of the solution – not the problem.
Are you doing your part?
The worst thing about the loopholes found in security systems is that these systems are designed for protection. People install cameras and other connected devices in their homes with the purpose of being secure. The fact that they could actually be introducing more risk is rather alarming – no pun intended. The more honest you are with consumers – and the more you work to improve the integrity of smart security solutions – the better the industry will be.
I admit it … I am one of the 143,000,000 people afflicted by the Equifax breach. For those of us who reside in the US, that number approaches 60% of all adults, based on recent numbers from the US Census Bureau. Perhaps most unsettling is that failing to perform something as routine as a timely patch produced an event so catastrophic that it cost the CISO, CIO and CEO their jobs. Make no mistake about it, accountability for cyber resilience is in the boardroom and rests heavy on the shoulders of those in the C-suite. This is accentuated by the data from a recently completed study by ISACA and MIT which overwhelmingly confirmed that CEOs and boards are leading enterprise digital technology initiatives.
Strong oversight of cyber security is now a critical component of organizations’ overall governance of their information and technology, and on that front, there remains some steep hills to climb. ISACA’s new Better Tech Governance is Better for Business research shows that only a little more than half of senior business leaders think their organization’s leadership team and board are doing all that they can to safeguard the organization’s digital assets, and less than half of boards intend to fund a significant expansion of their cyber defenses in the coming year, despite expanding attack surfaces and daily changes to the threat landscape.
There is much in the media and literature today calling for increasing technology competency in directors and senior executive leaders to achieve better oversight of what’s happening in the enterprise operations. There are also repeated calls for boards and the C-suite to further invest in cyber security and risk management, not only as a path to averting disaster, but as an enabler of the innovation required to thrive within a rapidly changing and increasingly complex technology landscape and regulatory and compliance environment.
The answer seems simple enough: recruit some new subject matter experts who can ask the right questions to serve on the board. While this is a good start, there’s still something missing— the fundamental ability to qualitatively and quantitatively measure the capabilities of an enterprise, allowing the enterprise to build its cyber resilience.
A CISO for a leading global payment company recently shared with me his story of being asked by a director on the company’s Board, “Are we safe?” His response was, “I think so,” to which, the director retorted, “What do you mean you think so?” The story was instructional for me, confirming the need for ISACA and our CMMI Institute subsidiary to work with industry leaders on the development of a risk-based, enterprise-wide self-assessment that presents a holistic view of an organization’s established capabilities to protect and defend itself from cyber security attacks. Upon completion of the assessment, a report indicating the current state of the enterprise, including views on how the organization compares to other organizations of similar size, geographic location or industry, will be provided. Assessment outcomes can be used by boards and senior executives to understand the current state, along with a roadmap to improved cyber resilience that can serve as the basis for further risk management-based and business-focused investments. CISOs and board members won’t need to think their organization is safe; they will know it is.
With industry and government support, along with stakeholders in our professional community, this assessment can evolve into a community accepted “universal consensus model” to measure progress in our respective industry sectors. Without such a tool, organizations, many of which are struggling to find tech-savvy board members, will continue to operate with incomplete or misleading information to decide how to invest in the equipment, training and personnel required to build and maintain effective security programs.
The pressure on today’s executives when it comes to reliable cyber security and risk management is significant. The job of leading and managing these critical enterprise concerns is anything but easy. The days of cyber security being treated as a technology concern have passed us by. Cyber security is now and will remain a strategic business risk that, if properly managed, can fortify an enterprise to effectively and securely innovate. Perhaps the timing is now right for this new ability to measure cyber resilience, thereby creating the rising tide that will raise all ships.
Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.
My name is Chris, and I am a CSX addict.
It wasn’t always that way. To be fair, my gateway drug was the workshops and lectures at my local ISACA chapter. Then, one thing led to another, and before I knew it, I was hooked. First, in Vegas. Then, earlier this month, in Washington, D.C., and next year, back to Vegas for CSX North America.
In my defense, the quality is irresistible, the “high” of discovery intense. Between the keynotes, the workshops, and the individual presentations, I mean … how can a professional resist? I tried others, but there was no “there there.” Useful vendor presentations, to be sure, but nowhere near the quality, diversity, or depth that I find at CSX conferences.
Where do I start my confessions to you? Do I tell you about the workshops, surrounded by accomplished peers, led by experts, and resulting in practical, actionable takeaways? Or, perhaps, I should emphasize the presentations, organized by track, that fill the days of the main conference.
Pick your flavor, and CSX has it! You prefer to focus on IDENTIFY? Got that. Perhaps PROTECT or DETECT floats your boat? CSX has that, too! For me, it was all about RESPOND, RECOVER, and DEFEND. Attending those presentations allowed me to learn more and hone my skills more than any reading I could have done.
And, that’s the thing with CSX. At the end of the day, it brings together the best professionals in the field, relaying, discussing, and sharing best practices with peers. This is not “a show.” It is a relationship among professionals, a true exchange of ideas, best practices, and lessons learned that I have not found anyplace else.
The good news is that I am not alone. I met dozens of fellow addicts at this year’s conference in DC. We compared notes, and we agreed: Unlike most other conferences, you could trust CSX to deliver objective, unbiased, actionable data. For practitioners in the field, there is nothing like it.
I will further confess that my addiction has shown no mercy. It’s not enough to be a regular delegate. I need more. And, for troubled people like me, ISACA has an answer: ELP. The Enhanced Learning Package. Cut straight to the front of the line, reserved seats at the presentations and keynotes, VIP treatment at the venue, help around every corner in getting me the information that I need when I need it, and so much more. This is not just “an incremental add-on.” For me, ELP has made the difference between a great conference, and an incredible-make-sure-you-do-not-miss-this-event experience.
I know what you’re thinking.
I should get help. Sadly, I am past that point. But, in the interest of serving the community, I needed to confess to you, my peers, and warn you. Stay away from CSX conferences, and stay clear of the ELP package in particular.
You’ll never be the same again.
Author’s note: Chris Moschovitis is the CEO of tmg-emedia, a 29-year-old independent consultancy in New York. He is the co-author of “History of the Internet: 1843 to the Present.” Chris’ latest book, “Cybersecurity Program Development for Business: The Essential Planning Guide,” is being published by Wiley later this year. He can be reached at Chris.Moschovitis@tmg-emedia.com
A covert channel is any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy. In short, covert channels transfer information using non-standard methods against the system design.
Information and communication dissimulation is not a new topic. However, applications remain numerous, and most recent techniques make such channels more difficult to detect.
The main purpose of covert channels is to protect privacy or to increase security of critical communication. As with most security concepts, however, covert channels do have a dark side. Given that they provide a stealth and secure communication channel, they can undoubtedly be used to establish connections that are theoretically prohibited by the security policy. Then, information leaks become possible, as well as asynchronous command channels between the compromised system and its master.
Covert channels are not everywhere, but they can be everywhere, thus providing answers to several issues raised by the use of encryption: legal restrictions and lack of discretion. In the first case, the main concern is the protection of personal privacy. People want their communications not to become public. The second issue is to have communications remaining undetected. If the content of an encrypted mail should not be readable, the communication itself is not stealth. And this piece of information may be valuable, mainly if one knows that two entities tried to protect the privacy of their communication.
Today, covert channels and their technological side – steganography – represent the new frontier of cyber-crime and cyber-espionage. To defend against these channels, you must understand how they work. Once we know what we’re up against, we can take decisive action. My presentation next week at CSX Europe will cover the main aspects of covert channels and steganography. The objective is to explain how they work, how to detect them and which counter-measures a company must take in order to prevent them using many practical examples.
Creating a covert channel takes some ingenious programming, and often access to the file system at the source end of the communication is essential. Covert channel analysis is one of the few ways to detect a covert channel. System performance degradation can be used to show covert channel use, but as computers have advanced, the degradation is insignificant compared to the amount of data processed. This makes detection even harder.
The primary way of defending against covert channel attacks is to examine the source code running on the source machine, as well as monitor resource use by the system in question.
What’s the difference between “virtual” and “transparent”? Virtual is when you think is there … but it really isn’t. Transparent is when it’s really there … but you just can’t see it.
Just like we learn so much about the state of our health with an annual physical exam, so does a credible risk assessment provide vital insight to improve the quality of an enterprise cyber security program. The state of cyber security today is probably reflective of the Equifax data breach. This is a teaching moment. It very well could be the tipping point for cyber security. Cyber security, for the next few years, will be a significant C-level priority. Executives are beginning to realize that cyber risk = disruptive business risk!
Security is only as strong as the weakest link. Organizations must ensure that they are on a regular basis performing a comprehensive risk assessment exercise to discover vulnerabilities that can be exploited. The immediate lesson from the Equifax breach is about ensuring organizations review their patch management and configuration management practices. Any policy and process must be influenced by standards such as PCI DSS, ISO 27001, and NIST Special Publications. However, organizations must view this area of challenge as an opportunity to review and improve the full scope of the enterprise cyber security program. Think of the Japanese word, “kaizen,” that means continuous improvement.
Establish an active cyber defense program
The bottom-line recommendation for senior executives is to set the tone for cyber security as an enterprise priority. These seven areas are critical to address on a continual basis:
- Develop a credible and an approved cyber security strategy that resonates across the enterprise
- Implement a cyber security framework
- Conduct a comprehensive and thorough security risk assessment, at least annually
- Ensure a technical vulnerability assessment is performed quarterly, and a penetration testing, annually, on mission critical assets
- Perform a Business Impact Analysis (BIA)
- Develop a detailed IT Disaster Recovery Plan (DRP); test it regularly
- Create a cyber incident response plan
Cyberattacks may not just disrupt, but potentially destroy valued data. 2018 will witness cyber events of the past repeated. We must be prepared now. We must bake in cyber security in the enterprise DNA. It always starts with a credible enterprise risk assessment. Ensure it is comprehensive and thorough.
Editor’s note: Ali Pabrai will discuss this topic in more detail during his CSX Europe session, titled “The Art of Performing Risk Assessments.” Pabrai is a renowned cyber security expert and member of Infragard (FBI). He is a top-rated dynamic speaker and chief executive of ecfirst - a compliance and cyber security company. Pabrai also serves on the HITRUST Assessor Council, and is the author of several published works.
The former CEO of Equifax recently stated in a speech to the University of Georgia that there are “those companies that have been breached and know it, and there are those companies that have been breached and don't know it.” While this statement must be taken with a grain of salt (it was made after his company was made aware of the massive breach), we still have a sentiment that has become very common.
This type of reasoning was popularized following the RSA breach that was disclosed in 2011. Following this event, many organizations which had breaches would lament the inevitability of a breach. This reasoning often has the related tagline of an “advanced persistent threat,” which further reinforces the mindset that succumbing to shadowy figures is inescapable. In reality, these “advanced” threats are often nothing more than a phishing email, poor passwords, or an attacker running a “point and click” exploit of a vulnerability that has been freely available for months. A cynical view is that both statements amount to nothing more than an attempt to leverage the fear, uncertainty and doubt of all things cyber in an excuse for the shameful security practices of these organizations.
Should organizations adopt this fatalistic attitude? The answer should be no. It takes little more than regular patching, good authentication practices (including multi-factor authentication) and enough security awareness to prevent staff from randomly opening attachments and clicking on links to stop the majority of threats to which many organizations are exposed. Common additional controls and security staff can be added to compensate for additional complexities as businesses grow. Considering these basic security items as a fundamental component of running a modern business will significantly reduce the likelihood of these breaches for organizations.
The reality is not this simple. Cybersecurity is not yet as fundamental as paying bills. Remediating vulnerabilities costs time. Multi-factor authentication adds friction to the user experience. Even the savviest user will make a mistake and click on a link he or she should not have. Additional controls to protect the organization require organizational funds and the support of a skilled security team. Business leaders must continually make a choice between investing in protecting the data they have been entrusted or using these funds elsewhere. Consequently, protecting data becomes an expensive inconvenience.
Financial incentives for protecting data are minimal. Home Depot, Target Corporation and Anthem Inc. stocks have rebounded from their respective breaches. While several executives were relieved of their employment in these scenarios, severance packages and pensions allow the responsible decision-makers to move on with little hardship. Fines, such as the US $25 million fine against AT&T or the $18.5 million dollar fine against Target, are barely noticeable on corporate earnings reports.
The impact for these events largely affects those whose data is disclosed, rather than the organization that allowed the breach. While individuals are burdened with additional credit monitoring reports, credit card replacement, identity theft, disruptions and stress, large organizations write off breach expenses as a cost of doing business. As a result, poor security practices are the more attractive financial choice for many business decision-makers.
So, is a breach at your company inevitable? Until there are stronger financial incentives for organizations to protect data, the answer for many companies, sadly, is yes.
Recent ransomware attacks, including WannaCry, Petya and NotPetya (which is considered to be a wiper as it irreversibly damages the disk), hit and partially paralyzed hospitals and large commercial organizations. Meanwhile, the security community and security vendors are working to adapt to this somewhat new and very different attack vector.
Many security vendors are focused on adapting current security technologies, such as signature-based file identification, artificial intelligence and application blacklisting, to build effective defensive lines. However, reality draws a less than satisfactory picture. 2016 saw between 20,000 to 50,000 ransomware infections per month, while criminals collected about US $209 million in the first quarter of the year. This year, infections per month are holding steady in that range, while Bitcoin payouts continue to climb.
Figure 1 - Ransomware reality statistics in 2016
Thousands of infected networks and countless headlines prove that the approach taken by traditional security controls and technologies is not efficient and does not bring the infection numbers down. The current approach taken by many security controls and organizations is that ransomware is a type of malware. This approach leads us to look for malware patterns in ransomware – a pattern that is not always there.
Ransomware does not need to manipulate operating systems nor modify sensitive configurations to encrypt files. Moreover, in some cases, legitimate services are harnessed to encrypt the system’s own files. For example, the CTB (Crypto-TOR-Bitcoin) ransomware family demonstrates how a supposedly legitimate service, svchost, can be used to encrypt the system files.
Figure 2 - The CTB ransomware execution flow
The ransomware injects itself to the svchost process, which then drops another payload that moves the files to a temp directory, encrypts them and moves them back to the original location.
Organizations protected by signature-based security controls will fail to identify this type of ransomware, as the signature of the dropper (the initial file infecting the endpoint) can be easily altered. Moreover, security controls based on behavioral analysis might also fail to identify and prevent such ransomware strains from running.
The ransomware attacks that recently infected and paralyzed a hospital and several large commercial organizations took legitimate disguises to the next level. Those ransomware strains, like NotPetya and WannaCry, took advantage of privileged accounts to take control of the endpoint, neutralize security controls, spread across the network and eventually encrypt the disk by modifying the MBR (Master Boot Record) and disk sectors. Privileged accounts allow this type of ransomware to disguise itself as a legitimate user, circumvent security controls and compromise the whole network. The recent NotPetya ransomware, which is considered a wiper as it damages the disk, demonstrates such execution flow.
Figure 3 - NotPetya privileged execution flow
As soon as an endpoint is infected, the variant checks its current privileges and security integrity level (which reflects the current level of privileges of the process security token). If the process identifies that it runs with high integrity privileges, it then modifies the MBR to run a slim boot sequence that does not load the installed operating system. This prevents any security controls from loading and interfering with the encryption process.
The variant then turns to schedule a restart in a randomized amount of time and uses this time to extract credentials from the current system and attempt to infect other systems across the network. The infection process of other systems either uses the extracted credentials, or an SMB vulnerability nicknamed EternalBlue – an NSA exploit of the SMB protocol leaked by the Shadow Brokers. The execution flow of NotPetya allowed it to bypass security and spread in fully patched environments by utilizing credentials.
To kill such execution flows used by recent ransomware and to contain the damage done to the whole network once an unprotected/unpatched/insecure endpoint is infected, ransomware should be treated as a program. More specifically, it should be viewed as a program that should run with limited privileges that are granted based on application graylisting. Application graylisting, which is different than simple whitelisting or blacklisting based on a list of approved applications, takes into account the circumstances: where the application came from (Internet, file share, locally created), the operation it intends to do, the sensitivity of the local machine, the associated files with the application, and more.
Based on those parameters, the application is granted specific privileges that allows it to communicate with the Internet, modify files or read content from memory. Application graylisting, together with credentials protection on the endpoint (protection of password in memory, registry, browsers and more), produces a strong second line of defense and a ransomware kill chain. The first line of defense, the anti-viruses and other traditional perimeter defenses, screen any opportunistic and known attack vectors. Any penetrating attack vectors and ransomware will then hit an environment with restricted privileges that limit resources to any untrusted application.
Figure 4 - Ransomware kill chain
Ransomware, like other attack vectors, is evolving continuously. New ways to penetrate organizations, encrypt files, proliferate and even pay for and receive decryption keys are integrated into new ransomware types. For example, the ransomware nicknamed Rensenware started as a joke, but it illustrates the creativity and ever-evolving methods of attackers. The ransomware demands that the victim play an anime game called Undefined Fantastic Object and hit the 0.2 billion points mark before allowing the victim access to the decryption key.
Figure 5- Undefined Fantastic Object anime gamebr>
This continuous innovation will make it extremely difficult for traditional security controls to identify and prevent ransomware infections of the local machine and the connected network. These new ransomware strains disguise themselves as legitimate programs to avoid anti-virus detection and to spread across secured and patched networks. So, regardless of whether you are an anime games fan, reinforcing the network with a second line of defense, based on application graylisting and credentials protection, could save you the anxiety of dealing with whatever new creatures and monsters stand in your way.
Editor’s note: Raj Samani, Chief Scientist at McAfee and one of the world’s foremost authorities on cybercrime, will deliver a keynote address at CSX Europe 2017, to take place 30 October-1 November in London, UK. Samani visited with ISACA Now to offer his perspective on how cyber security professionals can keep pace with the challenging threat landscape. The following is an edited transcript:
ISACA Now: What are some lessons that cyber practitioners need to take away from some of the major breaches that we’ve seen this year?
Practitioners should focus on the business impact. We often are seen as a technology function, but the reality is that a significant breach has a real detrimental impact on the business. Therefore, making sure we can articulate our work to a non-technical audience is critical.
ISACA Now: How can cyber security pros best keep up with such a fast-evolving threat landscape?
Information is power! Look at your information feeds – from where do you get intelligence and, more importantly, how do you get context behind the firehouse of data thrown at all of us every single day?
ISACA Now: What advice do you have for organizations on how to prepare for ransomware?
I recommend visiting nomoreransom.org – everything you need is there for being proactive, but also what to do in the event you have been infected.
ISACA Now: What must boards of directors and senior management do that they often are not doing when it comes to providing oversight of cyber security?
Take accountability. Remember that IT risk is now business risk.
ISACA Now: You note the need for greater information-sharing among governments – do you believe that nations will be able to overcome various political tensions and expand their cooperation for the greater good?
I wish they would. Our society demands it.