Cyber & Risk

Understanding cyber security has never been as critical as it is today. 

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you? 

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards. 

Conclusion: The challenge with handling threat intelligence is in assessing its relevance to an organisation, determining an appropriate response and then continual execution and reassessment. Consequently, the more comprehensive the threat intelligence service is, the greater the requirement for a customer to have existing, mature cyber security capability. Organisations must understand how they will use a threat intelligence service and what business benefit it will deliver to their organisation.

Read more ...

Conclusion: The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.

Read more ...

Conclusion: There are two compelling information security reasons for creating a sense of purpose and ownership within an organisation. The first is that a sense of purpose and ownership will empower staff so that they move from responding to basic security hygiene matters, towards pre-empting issues. The second reason is so that organisations look out beyond themselves and work towards a more resilient ecosystem.

This level of resilience maturity is vital and will be driven by leadership and a continuing commitment to talent development. Astute security leaders will use cultural indicators such as engagement and sense of purpose and ownership, as a guide to the ability of the organisation to withstand security incidents.

Read more ...

Conclusion: Non-IT executives are often reported as being concerned about the prospect of a cyber incident, but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT. This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be equally debilitating. Security is a response to risk, and it is the ongoing mandate of executives to demonstrate that they are guiding their organisation through foreseeable risks. Consequently, many organisations would benefit from the appointment of an information security officer who is able to translate between IT and the business and ensure that cyber risks are prepared for responsibly.

Read more ...

This paper explores why IT security in supply chains is an important topic and sets out a model for organisations to review their exposure and then communicate these issues internally, and with suppliers.

The IT dependencies that organisations now have are largely invisible and can be easily taken for granted, much like the infrastructure involved to have electricity or water be provided to a home. And just like electricity and water, when there is an incident in the IT supply chain, the impact can be considerable on the end consumer.

 Security in the supply chain can seem like an overwhelmingly technical topic, and it is a large topic, but it is not insurmountable. An increasing number of security leaders are looking at the supply chain as the ecosystem that their organisations operate in, and are starting to work on securing the resilience of every link in the chain – and this will take time, effort, and collaboration.

Read more ...

Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.

Read more ...

Related Articles:

"Applying The Five Knows of Cyber Security (Video)" IBRS, 2016-08-15 02:39:16

Conclusion: Security leaders know that it is not enough for the security group to do its job; they must be seen to be doing their job. This need for communication between security and the business is resulting in organisations creating outreach roles. Many organisations have yet to realise that this communications gap directly impacts their risk management capabilities. While the security team may be executing its work with technical accuracy, it is not serving the true needs of the business. The key to bridging this gap is an outreach function.

Read more ...

Conclusion: Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences. Due to its militaristic language, the policy intentions of this framework may be (and have been) reinterpreted by stakeholders, resulting in a misalignment of effort in managing risks.

Read more ...

Conclusion: travelling executives must be under no illusion that if corporate information on, or accessible via, their electronic devices is of interest to the economic wellbeing of a foreign country, they will be targeted for electronic intrusion. The potential value of the information to a third party will be directly proportional to the effort they may expend in getting it. The more an organisation has at stake, the more important it is that this is a risk-driven conversation, not a technology one, because the technology does not matter if an executive’s behaviour does not alter to match the risk.

Read more ...

Conclusion: organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.

Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to meet the business’ recovery objectives. The optimal AWS solution may require adopting new tools and rethinking long-held assumptions.

Read more ...

Conclusion: as cyber-security becomes a board-level topic, organisations in the A/NZ region are feeling the pinch of the security skills shortage. In this environment, moving IT services to the Cloud has the potential to streamline and/or automate some basic IT security practices. Cloud services are not an IT security silver bullet, but for many organisations, the scale and maturity of some Cloud vendors will be an improvement over their current IT operations.

Read more ...

Conclusion: Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee engagement. If employee engagement is low, this must be addressed before a security awareness campaign can be effective.

Read more ...

Conclusion: As much as the industry should not blame the victims of cyberattacks, the industry must also learn from these crimes. There are important lessons that must be drawn out from these breaches, because most organisations would be equally vulnerable to similar attacks. Three key lessons are: look for indicators of compromise and be sufficiently resourced to respond, review exposure through third parties and, consider compliance to security standards as a bare minimum for required effort.

Read more ...

Conclusion: When considering using cyber-insurance to deal with the potential costs associated with a successful attack, there are important considerations that CIOs and CISOs should be highlighting to operational risk and finance executives. Most organisations will need to raise their risk maturity substantially, and this means investment as well as changes to practices, before they are in a position to be able to take advantage of cyber-insurance.

Read more ...

Conclusion: There are a number of traits and behaviours to look for in an effective security leader, which are different from a traditional IT leader. The measure of an effective CISO is not whether their organisation has had a breach, or not. The measures of an effective CISO are the types of incidents their organisation has, and how their organisation responds to these. Consequently, an effective CISO is a requisite component for comprehensive risk management and organisational resilience.

Read more ...

Conclusion: Security leaders should approach security frameworks as a challenge to how the organisation secures its information assets. So, security leaders should be able to defend adherence, or variation, from any point on a chosen framework. Variance may be critical for business function, but the security leader needs to know this and be able to articulate it. This is not an argument for non-compliance, but toward a deep understanding of business requirements – and being able to defend this position to internal and external auditors.

Read more ...

Conclusion: Organisations must ensure they have taken reasonable steps to not release IT equipment which contains information assets. Leading software options for wiping data will be more than adequate for most organisations, and physically destroying disks is both excessively costly and environmentally unfriendly. However, as important as ensuring that sensitive data is destroyed, it is equally important that the organisation has an audit trail to demonstrate that the data destruction policy has been followed. The more sensitive the information is, the greater the need for the assurance of an audit trail.

Read more ...

Mandatory data breach disclosure is exactly what it says: legislation that obliges an organisation to reveal that it has experienced a data breach and lost control of its customers’ personally identifying and/or sensitive information. The industry buzz really started in 2003 with California Senate Bill 1386 which obliged organisations to inform their customers if there was, or reasonably believed to have been, a compromise in the confidentiality of the customers’ data (which meant “lost” + “unencrypted”).  

Read more ...

Conclusion: Cyber-insurance will be an inevitability for all organisations. However, executives should be clear on what level of cover they are buying, what incidents they are getting cover for, and the costs and impacts on the organisation that insurance cannot (or may not) cover.

An exploration into the feasibility of cyber-insurance is likely to raise good questions about whether an organisation has sufficient controls in place, as well as to what degree the organisation is willing to self-insure. But these questions, like the purchase of cyber-insurance, can only be addressed by the business.

Read more ...

Conclusion: The deadline for compliance with the Privacy Act passed in March, yet some organisations have not yet started reviewing their level of non-compliance. More mature organisations have been proactive and, in projects driven by the business, have reviewed and addressed areas of non-compliance. Some of these projects are still underway. These proactive organisations have the view that the cost of ensuring compliance is outweighed by the potential damage to the organisation’s reputation in the event of a publicly disclosed privacy breach where the organisation is found to be at fault.

Read more ...

Conclusion: IT executives from Australia’s largest organisations are actively looking for ways to create cyber-resilience, not just in their organisations, but also in the ecosystem their organisations operate in. These executives are acknowledging that it is not enough for an organisation to survive, if the community they operate in is crippled. IT security executives are concerned that in the event of a severe attack the current, disparate, communications channels between private sector and government will not be effective. There is a need for a coordinated, national, response to a severe cyber-attack; and that everyone in the information security community knows what this response is

Read more ...

Conclusion: Many IT executives are still unclear as to their obligations under the amended Privacy Act. IT executives should use the Privacy Act as an opportunity to start transitioning into a technical advisor role for their organisation. They should avoid falling into the trap of trying to unravel the Act from a legal perspective. It is paramount that the business understands that while IT can take leadership on a project for compliance with the Privacy Act, compliance is a business obligation and not an IT problem.

Read more ...

Conclusion: The probability of an inside attack is hard to gauge and depends entirely on the inner state of the attacker, but the impact can range from inconsequential to disproportionately vast. CIOs must assess the risk of a malicious insider in the context of their organisation’s information assets and risk management priorities. Astute CIOs will know that technology alone will not mitigate this risk, and that an ongoing

Read more ...

Conclusion:Accusations against Huawei of spying for the Chinese Government are destabilising confidence in this vendor in the local market. Consequently, the key challenge for Huawei in the enterprise IT space will be a growing reticence by people to be trained in a technology that is being positioned by the intelligence community as a political pariah. This will create a shortage of people trained in Huawei enterprise network equipment and will lead to a sellers’ market for these skills. This will add considerably to the ongoing costs of opting for a cheaper vendor.

Read more ...

Conclusion: As physical and digital supply chains become more integrated across organisational, regional, and national boundaries, the potential impact of an emergency or crisis can be far reaching. A proactive approach to crisis management requires an awareness of all the high-impact crisis and emergency events that could affect an organisation, and requires appropriate tools for risk assessment and active hazard management.

Read more ...

Conclusion: Windows XP will not stop working in April 2014 when Microsoft stops supporting this popular operating system. However, as time passes, this OS will become an increasing burden on organisations, due to third party support, security challenges, increasingly specialised skillsets, and perception. Windows XP will quickly become a legacy environment, with all the associated challenges. Consequently, CIOs should have a clear plan for any remaining Windows XP machines. The value of a clear plan is two-fold: firstly for common understanding within the IT department, but also for communicating to stakeholders.

Read more ...

Conclusion: In engaging with an external incident response provider, it’s vital that they are not walking blind into your environment. Equally, you need to know exactly who they are, what they are capable of, and what the agreed outcomes of the engagement will be. If you have been attacked, or are still under attack, your organisation’s information assets are potentially at their most vulnerable, so the trust in your incident response provider needs to have been established prior to the attack. This places higher than normal importance on your vendor selection process, and in engaging with the incident response provider as early as possible.

Read more ...

Related Articles:

"Preparing for cybercrime - communications" IBRS, 2013-03-24 00:00:00

"Preparing for cybercrime: incident response" IBRS, 2013-09-25 00:00:00

Conclusion: Over the last five years the market of crisis management and emergency response systems has undergone a rapid evolution. Innovative solutions exploit the proliferation of smart mobile devices, the continuously growing number of available data feeds, the simplicity of the deployment models afforded by the Web, and powerful geographic information system functionality. Given the maturity of some of the available solutions, it makes sense for larger organisations in the public sector and for utility organisations to consider the deployment of a modern crisis management and incident response system.

Read more ...

In 2010, IBRS wrote that “My dog is a cloud” and noted that defining cloud was an exercise in fuzziness, there’s a gap between expectations and experience, and the self-promotion by cloud vendors is relentless. The more things change, the more they stay the same.

IBRS recently ran a series of roundtables where CIOs were able to meet and discuss the impact of the cloud on IT departments and their organisations. An interesting theme was that the CIOs often experienced great frustration with the cloud. Promises of lower costs, transparent billing, responsive support, and integration often varied from reality. Some of the stories sounded like a commercial version of Russian Roulette, or what it would be like dealing with an unregulated banking industry.

Read more ...

Conclusion: Predictably, Apple’s lead with its Touch ID biometric reader will be followed by the smartphone industry, and we will see a flood of biometrics options for consumers. Many of these biometric deployments will not be well executed, and the failures of these systems will impact the feasibility of biometrics as a means of authentication. Reliance on biometrics, which are used across multiple systems, yet cannot be revoked, will make fingerprints an obsolete authentication credential which will need continual bypass options. Within the next two years, fingerprint authentication in the enterprise will be rendered obsolete.

Read more ...

Conclusion: Engaging with an incident response service provider is a process that needs careful research and planning. It’s valuable for your incident responders to know a considerable amount about your business operations so that they can help support the business in an incident, and not just stamp out technical fires, potentially doing further business damage. It is equally important that you know your incident response service provider; how they prefer to engage, what their capabilities are, their reference clients and, what their employment policies are. 

Read more ...

Related Articles:

"Preparing for cybercrime - communications" IBRS, 2013-03-24 00:00:00

"Preparing for cybercrime; incident response Part 2" IBRS, 2013-11-27 00:00:00

Conclusion: Recent exposure of US intelligence community actions, to monitor data of non-US entities, has highlighted the tenuous control organisations have over maintaining the confidentiality of their data. Whether US intelligence explicitly, or informally, assists US commercial interests, non-US organisations have been served with a clear warning as to how they should see this new world.

Organisations should review what information assets they are entrusting to US cloud vendors, and what the impact on the organisation would be if the confidentiality of these assets were to be compromised without the organisation’s knowledge.

Read more ...

Conclusion: Application whitelisting is a highly effective mechanism to minimise the impact of malware, and even ensure software licensing limits are enforced, but it is not a simple project and the technology to enforce a whitelist is still maturing. CIOs of Australian government agencies required to comply with the Protective Security Policy Framework and Information Security Manual (ISM) should have a clear plan to present to their Ministers on how this project will be delivered over the next 18-24 months.

Read more ...

Conclusion: In this era of targeted, self-obfuscating, and successful cyber-attacks, organisations must do three things. First, recognise that the organisation cannot prevent a dedicated attack. Second, understand what the organisation’s information assets are, and where they are. This is because we cannot always anticipate how the attacker may get in, but it is imperative to know what they are likely coming for. Third, increase your focus on detection and incident response, because you must be able to deal with a breach when it happens.

Read more ...

Conclusion: IT departments must alert both HR and legal counsel that the Mobile Device Management (MDM) platforms being deployed have the potential to put the organisation in breach of workplace surveillance legislation. MDMs can activate the cameras built into smartphones, activate the microphone, and access the smartphone’s GPS. Working with Legal and HR will likely result in new Acceptable Usage Policies for staff, and IT most likely needs to review controls for the MDM platform to ensure that these capabilities are not abused.

Read more ...

Conclusion: While the capability to filter content to corporate-issued smartphones and tablets is a capability that a number of organisations are interested in, very few organisations have taken this step. Most organisations are taking the view that the risk of an employee accessing inappropriate content while on a 3G/4G connection, and offending their colleagues, is low, and best managed through line managers and policy. Typically these trusted staff are also reasonably senior, hence their being issued with a corporate device. The perspective changes, though, if the organisation is concerned about field staff wasting time. In these instances, restrictions are seen as an aid to productivity and the device is heavily restricted.

Read more ...

Conclusion: The intention and skill of an attacker will ultimately determine the impact of the attack, regardless of the preventative technologies an organisation has. In this respect, a skilled attacker intent on destruction is akin to a natural disaster: measures can be taken but ultimately it’s out of your hands. We cannot prevent floods and earthquakes, so what makes a difference is how organisations respond to these disasters. It is imperative that organisations with disaster recovery and crisis management processes extend these to include responding to cybercrime. The first area to look is at how the organisation will deal with not being in control of its own IT, including communications systems such as email and VoIP.

Read more ...

Related Articles:

"Preparing for cybercrime: incident response" IBRS, 2013-09-25 00:00:00

"Preparing for cybercrime; incident response Part 2" IBRS, 2013-11-27 00:00:00

Many years ago when I lived in Perth, one evening after work I was standing in chest-deep water at Cottesloe beach admiring the sunset. I happened to turn and look to my left and saw a fin sliding out to sea, about 10 metres away.

I quickly realised that the fin was making the sine wave motion of a dolphin, not the sideways sweep of a shark. When I turned to face the beach, there was a small crowd of 20 or so people gathered at the water’s edge. As I got out, a lady said to me, “He was swimming right behind you”.

Read more ...

Conclusion: As organisations become increasingly dependent on computer systems, IT will have an increasingly important role to play in preventing and detecting fraud. CIOs must ensure that there are sufficient checks and balances minimising the risk of IT professionals abusing their elevated systems privileges, and that systems are configured to produce useful logs. CIOs should also ensure that policies for the prevention, and detection, of fraud are tested and enforced. Policies for log management and data retention should get high priority.

Read more ...

Conclusion: Security incident and event management (SIEM) products can deliver solid insights into the security status of an organisation’s network. However, SIEM requires ongoing support, mature change control processes, and rapid and open communications between diverse teams within the IT department - as well as the rest of the organisation! A successful SIEM deployment must factor-in the resources required for ongoing support. These resources will be in proportion to the complexity of the network.

Read more ...