Orchestra's Blog

A risk management approach is fundamentally different than the standard approach to cyber security. It requires that organizations explicitly decide on what risks to ignore – an outcome of...

Cisco just published a vulnerability that could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The CVE-2021-1388 vulnerability ranks 10 (out of 10) on the...

Graphs are about the connectedness of objects. Graph’s show us correlation and dependence between seemingly random objects as well as the degrees of freedom and separation from other objects. Social...

I talk to a lot of companies about cyber risk management vs. cyber security. I seem to get one of two possible responses – the first being a blank...

Groundhog Day is celebrated each year in the United States and Canada on February 2. It comes from a superstition that if a groundhog emerging from its burrow on this day sees its...

All of us in the cybersecurity business like to believe that cybersecurity is a boardroom issue and has been for the last few years. On the other hand we...

According to the recently released World Economic Forum (WEF) Global Risks Report 2021, cyber risks continue ranking among the top ten clear and “present dangers” (high probability risks over the...

Cyber Threat Intelligence (CTI) involves analyzing information about threats and producing guidance on how to respond. An interesting 2020 survey by the SANS institute on CTI (requires registration) found...

Last week pro-Trump rioters occupied portions of the U.S. Capitol building. This is a real issue for cyber defense since once there is known or presumed loss of physical...

The CISO role is generally considered one the highest stress, least appreciated executive\managerial jobs. Even before the COVID crisis, nearly 9 out of 10 executives holding the title of...

NIST Special Publication 800-161 on “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” was issued about 5 years ago (it is currently going through a revision)....

Cynefin is sense making framework created in 1999 by Dave Snowden. Cynefin offers five decision-making contexts or “domains”: obvious, complicated, complex, chaotic, and a center of disorder. Figure by Snowded  (Own work,...

Continuing my tracking of the Solarwinds trojan (SUNBURST), I came on an article about Microsoft’s response – “Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach”....

There was another breach this week that made headlines – the breach of the US Treasury Department. This time it is assumed to be a supply chain attack through...

Here in Israel there were two security breaches that made big headlines over the last couple weeks. The first was a an ongoing ransomware attack on an Israeli insurance...

As financial firms become more digital, the EU decided these firms need to focus on ensuring their operations are as cyber resilient as possible. Cyber resilience means the ability...

This week Microsoft released a zero day patch for an unpatched local privilege escalation (LPE) vulnerability affecting all Windows 7 and Server 2008 R2 devices. The LPE vulnerability stems from the...

Donald Rumsfeld was the US Secretary of Defense from 1975-1977 and once answered a security question using the terms known knowns, known unknowns and unknown unknowns. The language is...

Businesses use predictive metrics all the time. For example, forecasting next quarter’s revenue is a predictive metric used widely in business. When looking at any predictive business metric there...

The energy sector faces a cyber double whammy, IT infrastructure that is vulnerable to the same security, compliance and privacy risks faced by any IT organization, along with the...

First a little history. CIOs in the 80s and early 90s were focused on the technical side of the job. They would tend to have a technical background, and...

Security (or Safety) in numbers is the hypothesis that, by being part of a large physical group or mass, an individual is less likely to be the victim of a...

The busy folks at NIST have just released the official version of NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM). It focuses on converging cybersecurity risk management (CSRM)...

The interest in protecting organizational wireless networks is growing and so are the number of guidelines, best practices and standards being proposed and adopted (see Wireless Red Teams). One...

NIST released Special Publication 800-53 Revision 5 earlier this month. In my mind it is actually different enough from previous releases to be considered version 1 of a new...

Many companies operate wireless networks to allow greater flexibility through mobile computing. In many cases IT departments deploy wireless networks but ignore the dangers of wireless connectivity, assuming that...