Systemic risk is about the risk that exists between the parts of any complex system. This includes third-party vulnerabilities. Being able to understand if any third party introduces critical levels of systemic risk to the entire system through concentration risk is also a critical systemic cyber risk challenge.
I was fortunate to be on a panel to discuss the Software Supply Chain with Richard Rushing, Bryan Hurd and Richard Greenberg (moderator) for the ISSA Los Angeles chapter on Wednesday (1/19/21). Click here to view the recording, https://www.youtube.com/watch?v=y3wqCc34tME.
Supply chain security can refer to suppliers who provide services, staffing, support, or who develop software/hardware. The supply chain is varied and different across industry segments and organizations. If you consider the development of applications or electronics, there may be a long list of companies who contribute to the final product. The longer the supply chain and the less visibility you have into (or ability to assess) each supplier, the higher the overall complexity and resulting risk to your organization.
Let’s consider the software that we use in our own organizations. There is a lot of it. Do you have a complete inventory of the software you have running on your endpoints, or supporting business processes? Having a granular software inventory and an approved enterprise application catalog is a starting point. The granular information you need includes: “Who owns and makes decisions about the application?” “Who supports and patches it?” “Who budgets for and pays for licenses?” “What is the application architecture and how does it communicate?” Having a central trusted software inventory (this may differ between desktops and servers) is a starting point. Read More
I have started to offer vCISO services. What is this and why would a company want a fractional CISO? Both large and small companies, and those in between, need the advice and guidance policy, strategy, board presentations…) that an experienced security leader can offer, at a fraction of the cost of hiring and retaining the same talent. A vCISO provides the leadership services you would expect from a Chief Information Security Officer, on a fractional basis, making it more affordable especially for small to medium sized businesses. I’ll expand more on the benefits of having a vCISO, and when outsourcing may be a good solution for staffing and services in an upcoming article!
If you don’t have a reliable and authoritative repository of the devices connected to your network, their posture and the use of privileged accounts, it is difficult to believe that you really have any hope of managing them well to protect your organization’s sensitive information. If you are not managing IT security risk well, it will have an effect on all aspects of enterprise risk. This is why situational awareness needs to be a top enterprise focus.
The first category in the NIST Cybersecurity Framework is “Identify”. The first 5 CIS controls related to discovery, inventory and posture of endpoints, software and privileges.
The 20 CIS controls are the fundamental steps that every organization should work on to address the majority of cybersecurity exposure that an organization faces. Yet, many organizations fail to maintain a good inventory of assets, posture (software and configurations) and privileges.
There are many reasons why a central, easy to use inventory system is beneficial.
– You should know what business assets you are responsible for, as a fiscal responsibility.
– You should know what assets you have, especially when they connect to your network or access sensitive corporate information. Where are they? What software are they running? Are they compliant (patches, secure baseline configurations…)? What value is the data on these assets? What is their exposure?Read More
The World Economic Forum has released its annual Global Risks Report, which prominently addresses cyber risk. They’ve also released a Cyber Resilience Report, which comes in two parts: “a reference architecture for public-private collaboration, and cyber policy models.” The playbook, intended to be adaptable to any nation’s values and interests, takes up fourteen policy topics and analyzes them in terms of their impact on five areas: security, privacy, economic value, accountability, and fairness.
Lookout mobile security company develops the Mobile Risk Matrix for looking at the spectrum of mobile security risks for your enterprise and to help in developing a comprehensive strategy. I think this basic framework could be extended to other areas, besides mobile.
Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware --
Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
