Thursday, 27 October 2016

Practices Safe Computing

What is the first thing we should check when we turn on our computer? That’s a question I always pose to the kids when I present the (ISC)2 Safe and Secure Online Program.  If your answer is Facebook or Email, you have a problem.  Of course having a look at your anti-virus application is the place to start.  Is it running?  Are the databases current? (by current I mean no older than 24 hours).  Even the best anti-virus (AV) solution will do one little good if it is not running because the subscription has expired or if the databases are days or even weeks old.

ISC2 Tutorials and Materials, ISC2 Guides, ISC2 Learning

There is really no good excuse for not having a good anti-virus and anti-malware application installed and running on your computer.   Nearly every major vendor has a free version, not to be confused with a “trial version”.  The trial version permits full-unlicensed use for a brief period, typically 30 days, at the end of which the user is required to purchase the licensed version.  I point this out because I can’t tell you how many times I have come across users who did not really understand that the trail version actually quits working. There are several free solutions available today, Microsoft Security Essentials for the Windows platform comes to mind.  In my neck of the woods, Cox provides free McAfee to its subscribers.

Hold up! Still not time to dive into our e-mail.  After we have verified our AV system is working we need to check for updates to our operating system and installed applications.  The immediate application of security updates is very important!  Always make certain you have a good backup before you apply any patch or install any new software.  Understand that security updates for our applications are just as important as the security updates for our operating systems.  This includes not only our productivity suites, e.g. word processing, spreadsheets, etc., but other applications we tend to take for granted, such as Adobe Flash and Adobe Reader (PDF files).  These should all be set to automatically download updates when they are available and prompt us to install.

Good to go?  Well almost.  We are now confident that our desktop and applications are safe and happy we must deal with what’s behind door number one, the Internet.  A click of the mouse and we have the whole world at our fingertips.  We need to wonder, does the whole world now have us at their fingertips as well?

Let’s start with our connection to the Internet.  I must say that the cable providers have really come a long way from the days where we paid for service and they dropped in a digital subscriber line (DSL) or cable modem and told us to “plug your computer here”.  They learned hard lessons from exploits like the Melissa macro virus of the 90’s or the Slammer Worm in 2003.  Critters like these cause significant disruption for users and the Internet service providers (ISP).  The sales people are now much more knowledgeable and aware.  They ask the right questions, such as “do you have a DSL/Cable Router”? If you do not have one they offer to sell you one or they recommend one and where to buy one.  The router connects directly to the cable modem and not our computer.  We connect to the router, either via WiFi or Ethernet cable.  This router is also our “Firewall” and it hides our private systems and keeps the “Internet fingertips” out of our stuff.

 Nearly there!  I would be remiss if I did not mention online shopping.  I am writing this article two weeks before Christmas and eCommerce is in full swing.  It is easy, convenient, and definitely saves us money.  There are, however, some serious pitfalls and we need to understand and be aware so we do not fall victim to social engineering exploits like phishing, virus hoaxes and other confidence games that are always present on the Internet.    We are going to shop, that’s a given, so how do we protect our identity and our money?  My best advice for a first step is work with your bank.  When an identity is stolen or a debit or credit card is compromised the banks suffer losses and they don’t like it either.

I never use a debit card, as a debit card, to make a purchase anywhere, online or in person.  Always run it as a credit card!  My bank recommended we setup a separate account to be used only for online purchases.  I move money into this account when I need it, i.e. replenish my Starbucks card; make a purchase from Amazon, etc.  If my account is compromised am an only at risk of losing the small amount in that account and not my entire checking account.  There are of course requirements and agreements between my bank and myself and these will differ from bank to bank.   This does limit the liability for both of us so it is a win-win all around. 

Wednesday, 12 October 2016

Security Congress 2016 Recap: CISO Impact

The action-packed 2016 (ISC)² Security Congress ended with a paradigm changing keynote from Stan Dolberg and Phil Gardner of IANS on the model for security leadership. In keeping with the conference theme of “Advancing Security Leaders,” Stan and Phil unveiled a research-backed model that shows how high-performing security teams consistently demonstrate competence in both technical excellence and proactive organizational engagement areas. They call their model “CISO Impact™” and the room, filled with security professionals, eagerly took notes as the elements of the model were revealed.

Gardner explained that as security professionals, we have made a promise. That promise is to protect the businesses that they work for, and encourage them to adopt safe business practices. To accomplish this, we must lead, even without authority.

The CISO Impact™ model is broken into the 8 Domains of Technical Excellence and the 7 Factors of Organizational Engagement. Most (ISC)² members understand the concepts of technical excellence and can practice these in the scope of their day to day work. But technical excellence will only mature an organization so far. Without the 7 Factors of Organizational engagement, the business will never adopt safe business practices and achieve the level of maturity necessary to thrive in a connected world.

Security Guides, Security, ISC2 Certifications, ISC2 Learning, ISC2 Tutorials and Materials

To achieve the highest levels of maturity in the model, the security leader must engage the business in dialog and consensus building, convincing business leaders to own risk and change unsafe behaviors, weave security into business processes and practices, demonstrate value and deliver projects on time, build a strong and capable team, communicate value to the leadership, and align the security unit in the organization for maximum effectiveness. Sounds easy, right? Organizations all find themselves in different stages of these seven factors and it can be difficult to assess exactly where you stand to today and where you need to go.

This is why we are happy to present (ISC)² members with an opportunity to take a diagnostic designed to measure the 8 Factors of Technical Excellence and the 7 Factors of Organizational Engagement and see exactly where they stand. As a special benefit to (ISC)² members, IANS will be providing a premium diagnostic report to any organizations that complete the diagnostic for a limited time. Normally, this benefit is reserved for paying IANS clients. This is a fantastic opportunity you should take advantage now. You can also benchmark your results with others in your industry to see if you stand out in any of the factors. Do you outpace your competition?

The diagnostic will output a CISO Impact™ Quotient and you will be classified in both the technical and organizational factors as Foundational, High Foundational, Transitional, High Transitional and Executive.  Each of those categories representing a higher level of maturity respectively.

When enough diagnostic surveys have been taken, we will have the IANS team back to present how (ISC)² members compare to the baseline organizations that have been already measured.  This will be a report you won’t want to miss.