Surprise: CISOs are Human

The CISO role is generally considered one the highest stress, least appreciated executive\managerial jobs. Even before the COVID crisis, nearly 9 out of 10 executives holding the title of chief information security officer (CISO) or chief security officer (CSO) reported “moderate or tremendous” job-related stress. Many say the heightened stress levels has led to mental […]

Supply Chain Risk Management

NIST Special Publication 800-161 on “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” was issued about 5 years ago (it is currently going through a revision). It is a long document (based off the NIST 800-53r4 document on controls) and covers just about everything you could think of that is needed for […]

CISOs, Purple Teams and Cynefin

Cynefin is sense making framework created in 1999 by Dave Snowden. Cynefin offers five decision-making contexts or “domains”: obvious, complicated, complex, chaotic, and a center of disorder. Figure by Snowded  (Own work, CC BY-SA 3.0)   I believe that the main proactive aspect of a CISO’s job is to lower complexity by moving many events as possible to […]

Microsoft, SUNBURST and Supply Chain Attacks

Continuing my tracking of the Solarwinds trojan (SUNBURST), I came on an article about Microsoft’s response – “Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach”. Seemed a bit over the top to me until I looked up Death Star and found this: DEATH STAR OG – “Death Star OG indica dominant […]

More SWAG – This Time Thanks to the US Treasury

There was another breach this week that made headlines – the breach of the US Treasury Department. This time it is assumed to be a supply chain attack through a Solarwinds Orion server. According to a FireEye blog post  the attack uses a trojanized  plug-in that contains a backdoor for communication via HTTP to third […]

SWAG Security Analysis

Here in Israel there were two security breaches that made big headlines over the last couple weeks. The first was a an ongoing ransomware attack on an Israeli insurance company (Shirbit) the other the breach of FireEye (a security company that claims to knows more about cyber security than anyone).   One thing that both […]

DORA the (Threat Led) Explorer

As financial firms become more digital, the EU decided these firms need to focus on ensuring their operations are as cyber resilient as possible. Cyber resilience means the ability to protect electronic data and systems from cyberattacks, as well as to resume business operations quickly in the event of a successful attack.   DORA (Digital […]

When a Zero Day is Old News

This week Microsoft released a zero day patch for an unpatched local privilege escalation (LPE) vulnerability affecting all Windows 7 and Server 2008 R2 devices. The LPE vulnerability stems from the misconfiguration of two service registry keys and it enables local attackers to elevate their privileges on any fully patched Windows 7 and Server 2008 R2 system. Even […]

Outcome based Cyber Security

Donald Rumsfeld was the US Secretary of Defense from 1975-1977 and once answered a security question using the terms known knowns, known unknowns and unknown unknowns. The language is a bit tortured but the point is valid – and very relevant for outcome based cyber security. Here is a quick definition: Known-knowns – things we […]

Trump, Biden and CVSS

Businesses use predictive metrics all the time. For example, forecasting next quarter’s revenue is a predictive metric used widely in business. When looking at any predictive business metric there are two values that define the usefulness of the metric – its accuracy and precision. Accuracy describes the degree of closeness of measurements of a metric […]