Used to be that you had to be rich to afford servants. And what a perk they were! They would perform all types of services for you which gave you more leisure time and less toil. However, servants came with a price beyond their paychecks and livery. With servants around all the time, you could never be really sure of your privacy. You had to watch what you said and where you said it. You also had to be careful of your state of dress, actions and personal hygiene. If you failed to be discrete, you might get nasty surprises in the form of ridicule and embarrassment. If you were a military man or government official, you could even face such consequences as loss of secret information and official censure.
If yours is like most organizations, you have a policy or requirement of periodic (usually annual) risk assessment. Financial organizations and medical concerns, for example, fall under this requirement. Also, many organizations that have no regulatory requirement to perform risk assessment, perform one as a matter of best practice. And since you are doing one anyway, you might as well get maximum use from it.
It is the season when many concerns are allocating resources for the coming year. The information security budget is usually limited, even if it is adequate to protect the system and the information it contains. It is therefore very important that information security dollars be allocated wisely, and to maximum effect. To make a wise decision, you need to have the best and most current information. The results of an enterprise-level risk assessment are an excellent source of such information.
If you look at modern information security guidance such as the Center for Internet Security Top 20, the NIST Cybersecurity Framework or MicroSolved’s own 80/20 Rule for Information Security, the first controls they recommend implementing are inventories of hardware and software assets. There are several good reasons for making IT asset inventories job number one.
There has been a lot of talk recently about getting rid of passwords as a means of user identification. I can certainly understand why this opinion exists, especially with the ever-increasing number of data breaches being reported each year. It’s true that we users make all kinds of mistakes when choosing, protecting and employing passwords. We choose easy to guess passwords, we use the same passwords for business access and for our personnel accounts, we write our passwords down and store them in accessible places, we reveal our passwords during phishing attacks, we reuse our old passwords as often as we can and we exploit every weakness configured into the system password policy. Even users who are very careful with their passwords have lapses sometimes. And these weaknesses are not going to change; humans will continue to mess up and all the training in the world will not solve the problem. However, even knowing this, organizations and systems still rely on passwords as the primary factor necessary for system access.
Times are getting hard for concerns that collect or sell information about individuals. People are becoming more concerned about their privacy and want their personal information protected. It’s taken a while, but folks are waking up to the fact that information about who they are, where they live, what they like to do, what they like to buy and a plethora of other information is being systematically collected and sold all the time.
National information security and privacy legislation has been bandied about now for a long time, but with no results as yet. So, the States are getting sick of waiting and are drafting their own privacy acts, especially since the inception of the European Union’s General Data Protection Regulation (GDPR).
We are at the end of the second decade of the 21st century now, and we are still suffering from poor application coding security practices of all sorts. This is costing us big-time in dollars, intellectual property, privacy, security, apprehension and consternation!
As individual consumers, we tend to think of things like identity theft, invasion of privacy and loss of services when we consider the problem of poorly secured applications. But the problem is much broader and deeper than that. Holes in application coding security can also be used to attack communications systems, utility and industrial control systems, supply chains and transportation systems, and military command and control and weapons systems. These kinds of failures can lead to wide-scale confusion, outages, disasters and the deaths of innocents; possibly lots of innocents.
For more than 20 years now, hackers and cyber-criminals have been breaking into computer systems and networks. And for just as long a period of time, manufacturers, networking folk and cyber-security personnel have been developing devices, controls and processes to prevent these people from getting in and raising havoc. The “bad guys” come up with new ways to compromise system security, and then the “good guys” come up with new ways to protect it. Back and forth, forth and back, back and forth… it never seems to stop!
Have you ever heard of the New York State Department of Financial Services regulation requiring financial services companies to adopt cybersecurity measures that “match relevant risks and keep pace with technological advancements” (23 NYCRR 500)? If you haven’t, you should take a look, even if you don’t do business in the State of New York. This regulation is having a snowball effect that is affecting financial institutions across the nation.
Algorithms, step-by-step processes designed to tell a computer what to do and how to do it, are used to encipher data. Passwords and crypto keys are strings of characters needed to decrypt enciphered data. If these strings are not properly managed, you can lose the ability to decrypt this data forever. That is why proper key management is so important any time you are using cryptography on your systems. When using Blockchain, it can be especially important.
The most notable use of Blockchain to date is in Cryptocurrency. Last December, the 30-year-old founder of the Canadian cryptocurrency exchange QuadrigaCX reportedly died abroad. Unfortunately, he went to his reward without telling anyone the password for his storage wallet, causing the loss of up to 190 million dollars. What a mess! The exchange is now out of business and the court has appointed a monitor (Ernst & Young) and law firms to represent QuadrigaCX customers. An object lesson indeed for employing proper key management.
The Ohio Data Protection Act differs from others in the country in that it offers the “carrot” without threat of the “stick.” Although companies are rewarded for implementing a cyber-security program that meets any of a variety of security standards, having a non-compliant program carries no penalty under this act.
The theory is that Ohio companies will be more willing to put resources into their information security programs proactively if a tangible return on their investment is available; like investing in insurance to hedge risk. Alternatively, if there is no threat of penalty for non-compliance, why wouldn’t a business simply adopt a wait and see attitude? After all, most companies do not have big data breaches, and developing and documenting a compliant information security program is expensive.