Data Breaches are still misunderstood

admin — Mon, 20 Jul 2009 04:27:14 +0000

The Ponemon Institute and Ounce Labs (www.ouncelabs.com) released a study on the view CEOs have regarding data protection in their environment. In the study of 213 CEOs and other senior executives, CEOs did not share the same view on how secure their organization is with their executives. 92 percent of respondents said they were attacks. Who has the more realistic view of data security? Could it also be the fault of the executives who usually do not share all the bad information with the CEO? That is probably part of the security education challenge the CEO faces.

The study also found that 33 percent of C-level executives replied that attacks happened “hourly or more often,” while only 17 percent of CEOs said the same thing. That’s a pretty big difference of opinion. Whose responsibility is it to manage, monitor and report on hacker activity? Obviously tactically speaking it fall under IT, the CIO or maybe even the Chief Compliance Officer. But ultimate responsibility in any company falls to the CEO. If a data breach happens such as in the case of TJ Max, it’s the CEO who has to appear on television to explain what happened and answer to their customers.

How do you apply security metrics to report appropriately to the CEO? That magic “Dashboard” is what everyone is after and no one gets right. A good Compliance dashboard that you may want to check out comes with the reports from RiskWatch software (www.riskwatch.com). Its worth a look.

The category of technology CEO’s need to focus on these days is Data Loss Prevention (DLP). Every major company in security has a DLP product and the reason is probably because the education is finally in the market around the necessity of looking at all inputs and output of data in the organization. A data breach can be caused by lack of proper firewalls, no antivirus, no browser protection, not malware protection, lack of patch management or no vulnerability management. Or it could be a hundred other things. A CEO needs to know these terms, how data flows and what the data life cycle really means if they are to truly grasp the threat to their environment.

Prevention is really worth more than detection. If the CEO doesn’t bridge the gap to thinking they might be secure to understanding that they are under attack ever day and perhaps every minute, data breached will continue to occur.

Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Technorati Tags: data breach, data loss

US to set out cyber security plan -Baha to the rescue

admin — Fri, 29 May 2009 12:59:49 +0000

Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate “Hacking Lab” in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times.

So what can we expect from the Czar?

The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.

Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is “untenable”.

Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.

Good plan right?

My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.

We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUST have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.

Baha – new Cybersecurity Czar

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.

In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House. Both US government and military bodies have reported repeated interference from hackers in recent years.

In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said. Mr Obama will not discuss the Pentagon plan during Friday’s announcement, the newspaper said.

But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.

Risk Management and Compliance» security metrics

Data Breaches are still misunderstood

US to set out cyber security plan -Baha to the rescue