About Us | Contact Us
View Cart

Cyberslow, Cyberdown

By Dan Hadaway | Wednesday, August 12, 2015 - Leave a Comment

Let’s think this through . . . . 
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . and this is one of those posts Dan sat on for a few weeks before he finally convinced the team . . . . yes, we can release this!


ServIcons_ITAudit_01

At the time I heard of a book by John Mueller (Overblown, 2007), which made a case that our reaction to 911 cost more lives than the actual terror event itself, I probably wasn’t ready politically to accept the premise.  Still, his question, “which is the greater threat, terrorism or our reaction against terrorism,” stuck in my mind.

I registered “over-reaction” as a subcategory of my threat, “a false sense of security,” which, by the way, I’ve always maintained was the greatest threat we face.

Now . . .  before you read on . . . please consider that I have always blanket-classified threat likelihood.  Sure, it’s different for every situation, and it changes over time; but because it’s inherent risk, I maintain that the likelihood of a threat exploiting a vulnerability can USUALLY be seen from a blanket-approach.  In other words, I can walk into any organization and tell them what their top ten threats probably are, inherently, without much analysis.  Thus, we can shortcut the threat analysis process, and get down to the business of calculating residual risk, based on control structures.

Anybody selling you threat-analysis services would say this is a dangerous approach and I agree.  I’m just proposing that, at a high level, we can assume at least ten threats to every organization.

And because of this, I’ve been able to come up with Dan’s Top Ten Technology Threats. And if you’ve seen any of my presentations since about 2004, you’ve probably seen an iteration of this list when I discuss awareness as 9/11’s of the battle:

10 – Professional Cybercriminals
9 – Script Kiddies
8 – Vandals
7 – Scammers, Opportunists, and Fraudsters
6 – Nosy neighbors and ex-spouses, enemies of our customers
5 – Insiders
4 – Our customers (as an accidental threat.  Mad customers end up falling into 8, 7, or 6 above.)
3 – Our examiners and auditors (as a compliance threat, or a security threat if they aren’t competent.)
2 – The technology itself (Our use of technology, heightened when we deploy new technologies)
1 – A false sense of security

Again, the above is a blanket list, and does not apply to ANY organization at a detailed level, while at the same applying to ALL locations at a high level.  There are specific threats not included in the list, but everybody’s list would include the above threats, in many flavors.  (Have I qualified that enough?)

So . . . . what’s the point?  I have always maintained there is a much higher likelihood we are hurt by a false sense of security, than a professional cybercriminal.

All this cyberbuzz is a good thing for sure.

However, and I know I’m probably not making many friends by sharing this:  this time I am disturbed by the buzzword mania.  I am watching hundreds of companies jumping into the field, offering what may be good solutions.  [At the request of “good sense,” I have removed a laundry list of companies who started selling cyber-products since 2013.]  

And while I, of all people, should not rue the sound of heads popping out of the sand, I still feel compelled to utter the cautious words, “slow down.”

Think this through.

The “guidance” was released on June 30th.  It is not even a guidance.  But it was released about a month ago:  your examiners don’t know yet what it really means for you.  It is a great tool.  As stated in the CEO Overview, “the Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time.”

The key words there, to me, are “over time.”  It’s what makes the tool so usable . . . . maturity is something that occurs over time, not overnight.

So let’s think this through.  Let’s not over-react, moving resources before we fully understand priorities.  Every conference and convention we attend for the next year or two will have advisors sharing their take on the subject.  Let’s find a basis we can study from, to make these presentations more valuable to us.

And that basis?

The actual documents themselves.

I’m getting bombarded with questions about issues that aren’t even in the Cybersecurity Assessment Tool, raised in some cases because a vendor somewhere has pitched a service as a cyber-service.

Gosh, if I wanted to sell a trash can to a bank, I would be more successful if I called it a cyber-trash can.

I’m sorry.  The previous sentence was in the first draft of this post, and I had pondered its removal since I first wrote it.  But I obviously feel it needs to stay.  I don’t mean it to be condescending, and yes, we should be praising our management teams for coming to the table.  But let’s realize that nothing changed on June 30th.  Other than we now have a map.  And there’s only one map for banks now, and that’s a good thing.

But the threats are still the same.  Cyber is real, but it is still #10 on my list.  And we still haven’t fully protected ourselves from #2 through #9.  And if we don’t recognize this, then in a rush to address #3 (compliance) we’ll be a victim to #1 (false sense of security).

Let’s roll up our sleeves, yes, but let’s do so in a focused, balanced, THOUGHTFUL way.  We do not need to rush into this.

So my advice about the Cybersecurity Assessment Tool?  Read all of the documents located here.  Go ahead and attend the myriad of seminars, webinars, and such on the subject.  And yes, we’ll be providing webinars too.  Quite frankly, CyberCyber is a boon for our business!  And we’ll be having many talks on the subject, and an Examiner Panel, at the IBA’s Cybersecurity Conference, that we renamed Cybersecurity for the very reason I just warned against.  (To get you to come to it!)

But don’t waste time attending my webinars if you haven’t read the documents.

And sure, read articles about it.  Like this one.  But don’t read ANYTHING, including the rest of this article, until you’ve read the actual documents, located here.

 


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]