CDM-CYBER-DEFENSE-eMAGAZINE-March-2019

More documents

Recommendations

Info

Security have and have-nots How organizations can stay above “The Security Poverty Line” By Javvad Malik, security advocate, Alien Vault Way back in around the 2010 / 2011 timeframe Wendy Nether coined the phrase "The Security Poverty Line" in which she hypothesized that organizations, for one reason or another (usually lack of funds), can't afford to reach an effective level of information security. Nearly a decade on, and while the term has suck into frequent usage within the information security community, are we any better at solving the issue now that we've identified it? I asked Wendy on her thoughts, to which she said, “I don’t think we’ve even come close to understanding it yet. And I think solving it will take an effort on the level of US health care reform.” It’s a morbid thought, and can leave one with a feeling of helplessness. So, I thought I’d try to scratch beneath the surface to see what we can understand about the security poverty line. Technical Debt The term technical debt has become more prevalent within information security over the years. Whereby a company will accrue technical debt, or information security risk over time due to decisions they've made. For example, if a service is launched before undertaking a full penetration test or code review, it adds to the debt of fixing any subsequent issues in a live environment.
Exponential losses One of the challenges with technical debt is that it doesn’t occur in a linear manner, rather the debt, or fall below the poverty line occurs at an exponential rate. Speaking to people who run small businesses, things become a bit clearer as to some of the challenges they face. Cyber security needs investment in different areas, initially that is to hire expertise, or invest in technologies. Neither of which are necessarily the smallest of investments. But when there are ongoing costs, the cost to maintain security, to undertake ongoing testing. Then, when wanting to do business with larger companies, the smaller company is usually subject to a 3rd party assurance process where they need to demonstrate they meet all the cyber security requirements of the larger company, even in instances where the controls may not be directly applicable. Finally, in the event of an incident, a company that has already under-invested in security is faced with loss of business, or even legal action from partners, regulatory fines, as well as the cost of incident recovery and PR management. How much Information security is enough? With such a seemingly endless laundry list of things to consider in the security world, the question on the minds of most businesses is, ‘how much is enough’? Unfortunately, if you’re looking for a hard number, you’ll be disappointed. Because the threats and challenges present in the cyber world represent a moving target. But this doesn’t mean all effort is futile, it’s more a case of looking at the world differently. One way to look at this could be through the lens of finite and infinite games, as coined by James Carse in his 1986 book of the same name. The idea is that there are two kinds of games, finite, and infinite games. Finite games are those which have rules such as number of participants, boundaries, time duration, and so forth. After a certain period of time, a winner is declared in accordance with the agreed upon rules. If you try to look at cyber security as a finite game, you will inevitably pull your hair out in frustration and turn into precisely how urban dictionary describes InfoSec. Cyber Security is more of an infinite game - one where there is no set rules or boundaries or even a winner or loser as defined in the classical sense. Rather the purpose of an infinite game is to always be in a position to continue the game. Continuing the game Asking companies to continue the game when resources are scarce and they’re living on the security poverty line. But once you understand the game, the players, the pieces, and the moves, it becomes easier to plan your strategy. For that, it’s useful to consider the following points.
Page 1 and 2:
Data Breaches: Beyond Exposing Iden
Page 3 and 4:
CONTENTS (cont') Prioritizing Secur
Page 5:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 22 and 23:
Data Breaches: Beyond Exposing Iden
Page 24 and 25:
About the Author Kem Gay is an Inte
Page 26 and 27: Rip Off the Band-Aid This leaves us
Page 28 and 29: Why Biometric Data Use Poses Unique
Page 30 and 31: • DNA Kits: If you purchased or u
Page 32 and 33: How to be Workforce Ready and Stand
Page 34 and 35: Maximiliano Gigli, a third-year cyb
Page 36 and 37: Interestingly, the two groups diffe
Page 38 and 39: Cross-site Scripting Is an Underrat
Page 40 and 41: Stealing HTML5 web storage data: HT
Page 42 and 43: Cybersecurity in New York City, the
Page 44 and 45: A boom in cybersecurity startups se
Page 46 and 47: illion risks and threats among its
Page 48 and 49: Some Important Developments in the
Page 50 and 51: About the Author Sharmistha Sarkar
Page 52 and 53: employees to contractors and sub-co
Page 54 and 55: The Internet of Things Engineering
Page 56 and 57: About The Author Milica D. Djekic i
Page 58 and 59: kind. Many of them require some kin
Page 60 and 61: 2019 Risks in Focus: Cyber Incident
Page 62 and 63: However, the past year has also wit
Page 64 and 65: Why Insider Threats Are One of the
Page 66 and 67: Unlike with outside security threat
Page 68 and 69: Organizations will also frequently
Page 70 and 71: The US Must Catch Up to Other Promi
Page 72 and 73: The fact is, the wider internationa
Page 74 and 75: Integrate Compliance and Regulation
Page 78 and 79: 1. People Having the right people c
Page 80 and 81: sources (such as syslog’s, Net Fl
Page 82 and 83: Limitations of Current Endpoint Sec
Page 84 and 85: For effective detection, most EDR s
Page 86 and 87: Why Wi-Fi Hacking Will Persist Desp
Page 88 and 89: About the Author Ryan Orsi is Direc
Page 90 and 91: questions such as, “Who added a w
Page 92 and 93: About the Author Josh Paape is an O
Page 94 and 95: for well-known, repeatable needs fi
Page 96 and 97: Overcoming Software Security Issues
Page 98 and 99: Implementing Security Checks at Str
Page 100 and 101: Phishing in the Dark: Employee Secu
Page 102 and 103: phishing threats. Furthermore, almo
Page 104 and 105: Unfortunately, once an application
Page 106 and 107: Software Should Come with a “Nutr
Page 108 and 109: vulnerabilities. If they find vulne
Page 110 and 111: I can't get no satisfaction, I can'
Page 112 and 113: How Organizations Should Choose a L
Page 114 and 115: load balancers capable of integrati
Page 116 and 117: SaaS DNS Security: Are you Protecte
Page 118 and 119: associated with any security event
Page 120 and 121: 120
Page 122 and 123: 122
Page 124 and 125: 124
Page 126 and 127:
126
Page 128 and 129:
128
Page 130 and 131:
130
Page 132 and 133:
132
Page 134 and 135:
134
Page 136 and 137:
136
Page 138 and 139:
138
Page 140 and 141:
140
Page 142 and 143:
142
Page 144 and 145:
144
Page 146 and 147:
146
Page 148 and 149:
148
Page 150 and 151:
We’ve launched http://www.CyberDe
Page 152 and 153:
Marketing and Partnership Opportuni
Page 154 and 155:
Regent University’s Institute for
Page 156 and 157:
156
show all

CDM-CYBER-DEFENSE-eMAGAZINE-March-2019

Create successful ePaper yourself

Delete template?

Save as template?