Why is my toaster talking to my accounting software? Are internal or outside devices causing DDoS or botnet attacks? Larry Bianculli discusses IoT device security, current and future concerns, with Matthew Pascucci and Joe Goldberg.
It was our third CISO roundtable that we hosted at a local vineyard and the conversation was as lively as ever. I’m not sure if it was the wine tasting, the food or the experience of the CISO’s in attendance, but this event was lively discussion that focused on “Building a Defendable Enterprise with Continuous Monitoring”. The excitement and passion that was coming back from our attendees was nothing short of encouraging to see how these leaders in our field are taking their roles serious in defending their organizations. It was once again a privilege to be in the midst of these leaders learning from their wisdom and experience in the field. This blog is being written as recap of a few highlighted discussion points throughout evening that were discussed.
All organizations have policies and procedures on how particular tasks and goals are established within the organization. The issue here is many of these are either word of mouth or haven’t been written down. This leads to having subjective policies and procedures that morph over time based off a loose understanding of the objective. Almost every regulated organization is being asked to have written policy and procedure to adhere with compliance that allows for a defined and objective method of handling policy and procedures within their organization. This creates a strategic framework for those that the policy and procedures are guiding. This being said, there are a few differences when it comes to policy and procedure.
A data breach has occurred or worse your organization has been hit with ransomware, what do you do next? Learn how Tabletop exercises create muscle memory.
Anything that’s difficult takes time to master, or at least become competent, and it requires constant training and being pushed in situations which will sharpen your reflexes. This is the predominant reason why we perform cybersecurity tabletops in order to improve our reaction time regarding security incidents and breaches. During these situations there’s much more than the technical aspect that needs to be considered and if the entire organization isn’t moving in tandem, mistakes will be made. Organizations as a whole need to live this experience, even if it’s just a tabletop, in order to understand the ramifications of where you might have blinders on from a maturity standpoint. This consistent role playing, aimed to force all levels of participant’s out of their comfort zone, is used to create that tempered muscle memory on how to react to incidents without question.
We’ve all heard it before, “Just patch all the things and you’ll be perfectly fine” and there’s a lot of truth to this statement; it’s also extremely shortsighted. If you’re working in a large enterprise or an organization that uses unique equipment for business functions it’s almost impossible to follow the “patch all the things” mantra. Mostly, because there aren’t available patches or the systems have become unsupported. At CCSI we work with some of the world’s largest organizations and in doing so we’ve noticed that patching isn’t always an option, even though we recommended it as a priority, to some systems on the network. Here are few areas we recommend when patching isn’t an option.
We recently held our second annual CISO roundtable that brought in the attendance of fifteen CISO’s for a candid conversation regarding their concerns, challenges and advice on protecting their organization. Last year’s roundtable showed that Long Island has a security community that’s hungry to learn and grow from each other. This was also evident from the attendance at the first BSides Long Island, which was held in January. It was no surprise that our second roundtable was just as lively and informative as these two events. Throughout the agenda for the night the topics covered ranged from continued challenges, improvement, and future considerations. We’ll briefly touch on a few throughout this blog so the extended community can learn from their wisdom and insights.
The two-year transitional period implemented by the New York State Department of Financial Services (NYS DFS) regarding their Cybersecurity framework, 23 NYCRR 500, finished this past March 1, 2019. This doesn’t mean the work ends here, but essentially it’s just getting started. The state of New York allowed institutions, or covered entities, a 24 month break in period before having to adhere to all phases per year. The training wheels are off and all phases will have to be obtained yearly moving forward.