Orchestra's Blog
When a Zero Day is Old News
This week Microsoft released a zero day patch for an unpatched local privilege escalation (LPE) vulnerability affecting all Windows 7 and Server 2008 R2 devices. The LPE vulnerability stems from the...
Outcome based Cyber Security
Donald Rumsfeld was the US Secretary of Defense from 1975-1977 and once answered a security question using the terms known knowns, known unknowns and unknown unknowns. The language is...
Trump, Biden and CVSS
Businesses use predictive metrics all the time. For example, forecasting next quarter’s revenue is a predictive metric used widely in business. When looking at any predictive business metric there...
Security, Compliance and Privacy Risks in the Energy Sector
The energy sector faces a cyber double whammy, IT infrastructure that is vulnerable to the same security, compliance and privacy risks faced by any IT organization, along with the...
Digital Security: CISO, TISO, BISO, BASE
First a little history. CIOs in the 80s and early 90s were focused on the technical side of the job. They would tend to have a technical background, and...
Security in Numbers
Security (or Safety) in numbers is the hypothesis that, by being part of a large physical group or mass, an individual is less likely to be the victim of a...
Cybersecurity and Continuous Improvement
The busy folks at NIST have just released the official version of NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM). It focuses on converging cybersecurity risk management (CSRM)...
Protecting Airspace, WLAN, Wireless and WiFi – Oh My
The interest in protecting organizational wireless networks is growing and so are the number of guidelines, best practices and standards being proposed and adopted (see Wireless Red Teams). One...
800-53 Revision 5 – Outcome Based Security and Privacy Control
NIST released Special Publication 800-53 Revision 5 earlier this month. In my mind it is actually different enough from previous releases to be considered version 1 of a new...
Wireless Red Teams: Evil Twins, Eavesdropping, and Password Cracking
Many companies operate wireless networks to allow greater flexibility through mobile computing. In many cases IT departments deploy wireless networks but ignore the dangers of wireless connectivity, assuming that...
Red, White and Blue Make Purple
Vulnerability scanning, penetration testing and red teams are the main detective controls for residual cyber risk – i.e. the risk that remains given controls already in place. Vulnerability scanning...
Red, White and Blue Cybersecurity Risks
Cybersecurity is moving away from using threats, vulnerabilities and exploits as the management metaphor towards risk-based cybersecurity management. Using risk terminology, penetration testing is a standard detective control used...
Lack of Standard Metrics
Lack of standard metrics to measure, manage and benchmark cyber risk limits security efficiency and effectiveness, making it difficult to prioritize and coordinate cyber defenses Single security truth from...
Fragmented technologies
Organizations’ cyber security stack consist of 100-150 different disconnected point tools or technologies making it difficult to assess and act on the big picture. Organizations based their security operations...
Constantly Shifting Business Needs
In today’s modern world business needs are constantly shifting, IT and cyber risk landscape require a constant stream of attention and resources. CISOs role isn’t just about security, but...
Is Cyber Security Fit-to-Purpose?
ITIL (IT Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL is used by CIOs (especially...