Surprise: CISOs are Human
The CISO role is generally considered one the highest stress, least appreciated executive\managerial jobs. Even before the COVID crisis, nearly 9 out of 10 executives holding the title of chief information security officer (CISO) or chief security officer (CSO) reported “moderate or tremendous” job-related stress. Many say the heightened stress levels has led to mental […]
Supply Chain Risk Management
NIST Special Publication 800-161 on “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” was issued about 5 years ago (it is currently going through a revision). It is a long document (based off the NIST 800-53r4 document on controls) and covers just about everything you could think of that is needed for […]
CISOs, Purple Teams and Cynefin
Cynefin is sense making framework created in 1999 by Dave Snowden. Cynefin offers five decision-making contexts or “domains”: obvious, complicated, complex, chaotic, and a center of disorder. Figure by Snowded (Own work, CC BY-SA 3.0) I believe that the main proactive aspect of a CISO’s job is to lower complexity by moving many events as possible to […]
Microsoft, SUNBURST and Supply Chain Attacks
Continuing my tracking of the Solarwinds trojan (SUNBURST), I came on an article about Microsoft’s response – “Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach”. Seemed a bit over the top to me until I looked up Death Star and found this: DEATH STAR OG – “Death Star OG indica dominant […]
More SWAG – This Time Thanks to the US Treasury
There was another breach this week that made headlines – the breach of the US Treasury Department. This time it is assumed to be a supply chain attack through a Solarwinds Orion server. According to a FireEye blog post the attack uses a trojanized plug-in that contains a backdoor for communication via HTTP to third […]
SWAG Security Analysis
Here in Israel there were two security breaches that made big headlines over the last couple weeks. The first was a an ongoing ransomware attack on an Israeli insurance company (Shirbit) the other the breach of FireEye (a security company that claims to knows more about cyber security than anyone). One thing that both […]
DORA the (Threat Led) Explorer
As financial firms become more digital, the EU decided these firms need to focus on ensuring their operations are as cyber resilient as possible. Cyber resilience means the ability to protect electronic data and systems from cyberattacks, as well as to resume business operations quickly in the event of a successful attack. DORA (Digital […]
When a Zero Day is Old News
This week Microsoft released a zero day patch for an unpatched local privilege escalation (LPE) vulnerability affecting all Windows 7 and Server 2008 R2 devices. The LPE vulnerability stems from the misconfiguration of two service registry keys and it enables local attackers to elevate their privileges on any fully patched Windows 7 and Server 2008 R2 system. Even […]
Outcome based Cyber Security
Donald Rumsfeld was the US Secretary of Defense from 1975-1977 and once answered a security question using the terms known knowns, known unknowns and unknown unknowns. The language is a bit tortured but the point is valid – and very relevant for outcome based cyber security. Here is a quick definition: Known-knowns – things we […]
Trump, Biden and CVSS
Businesses use predictive metrics all the time. For example, forecasting next quarter’s revenue is a predictive metric used widely in business. When looking at any predictive business metric there are two values that define the usefulness of the metric – its accuracy and precision. Accuracy describes the degree of closeness of measurements of a metric […]