By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

Step 8 of President Obama’s 10-point action plan is: Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement. Keywords in Step 8 include: Prepare, Initiate, Dialog, Partnership, Streamlining, Aligning, Optimize. Preparing an incident response plan is a great idea and can play a critical role in the success of a cybersecurity action plan, however a lot organizations have incident response plans that are not producing much if any feedback.   Why are traditional response plans not working? Problems with traditional incident response plans lack anonymity on theRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

A CNN article recently caught my attention regarding a new study by antivirus software company McAfee that identified the most dangerous Internet search terms that can lead users (your employees, vendors, contractors, business partners, etc.) to web pages with a higher likelihood of cyber attacks. The study examined more than 2500 popular keywords on five major search engines – Google, Yahoo, Live, AOL and Ask – and analyzed 413,000 web pages.  The categories that had highest risk of leading to malware infested web sites included: screen savers, free games, work from home, Olympics, videos, celebrities, music and news.  The riskiest terms included: word unscramble, lyrics,Read More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

Lessons Learned continue to identify new and changing threats, but are organizational managers helping their organization’s personnel keep up with ongoing awareness or are they falling farther and farther behind? For example, a recent article highlighted an attack that hit Twitter and may be one of the first time hackers to use the micro-blogging site for profit.  So why do hackers love social networking? Because unaware users (Boards, management, employees, vendors, contractors, consultants, business partners, etc.) will click on interesting links to things like “Best Video” or “Funniest Video” and unknowingly end up on a Russian domain that serves up malware or other exploits thatRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Information Security, Risk Management

Step 7 is: Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. Wow…this is a very complex step when you consider the Cyberspace Policy Review described cybersecurity policy as: cybersecurity policy as used in this document includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missionsRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security

As May ended, the percentage of SPAM and junk mail jumped to 90.4 percent of e-mail.  Are your people aware and prepared to avoid and prevent risks and threats associated with SPAM? To make matters worse, the spamming techniques are successful because the e-mails are being sent from valid accounts hosted by the social-networking sites and not being spoofed.  And because the e-mails are coming from valid accounts, technology devices checking the validity of e-mail headers are ineffective as a countermeasure.  In many cases, the junk mail contains only a subject line and a hyperlink and many times the links led to social-networking site profiles. Read More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

Step 6 of President Obama’s Cybersecurity plan is a great idea and it states: Step 6 – Initiate a national public awareness and education campaign to promote cybersecurity. Lessons Learned from national public awareness and education campaigns show that they can work very well with “simple and straightforward” issues such as drunk driving, seat-belts or forest fires.  For example, most of us have heard of “over the limit, under arrest” or “click-it or ticket” or “only you can prevent forest fires”.  But cybersecurity is not “simple and straightforward”. Lessons Learned, experts and reports unanimously agree that cybersecurity related attacks are becoming more and more sophisticatedRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

Ok, now we are starting to get into the action points that have a lot more complexity and will absolutely require an “intelligent playbook” and innovative tools to implement appropriate mechanisms, priorities, processes, policies, roles, responsibilities, activities and more across the federal government.  Based on Lessons Learned, Inspector General Reports and a recent May 2009 GAO Report that stated 23 out of 24 major federal agencies had weaknesses in their agencywide information security programs…it is obvious that action point 5 is going to be extremely difficult to implement and manage.  Action Point 5 – Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priorityRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

As I mentioned in previous blogs, the new Cybersecurity Adviser will essentially be the “Head Coach” and he/she will need to create an “intelligent playbook” to lead the offense and the defense and to ensure all appropriate individuals are aware of their roles and responsibilities. Action Step 4 in President Obama’s Cybersecurity plan is: Designate a privacy and civil liberties official to the NSC Cybersecurity directorate. On paper, designating an official or officials to focus on privacy and civil liberties makes good sense, however lessons learned have clearly shown that government officials continue to look at privacy and civil liberties as too much of aRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Risk Management

The good news is that Social Networking is experiencing explosive growth. The bad news is that Social Networking is experiencing explosive growth. According to the third annual Deloitte LLP Ethics & Workplace survey, organizational leaders have some decisions to make when it comes to employee beliefs and management beliefs regarding online Social Networking. 60% of business executives believe they have the right to know how employees portray themselves and their organizations in online social networks 53% of employees disagree and say their social networking pages are not an employer’s concern 63% of younger employees (age 18-34)  say employers have no business monitoring their online activityRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

So the new Cybersecurity Adviser (aka Head Coach) will be announced this week…and as I mentioned previously regarding Step 1 and Step 2, the Head Coach will play a vital role in coordinating people, entities, policies, activities, strategies and ongoing updates as strategies and threats change.  We reviewed how the Head Coach will need to implement an “intelligent playbook” to ensure all appropriate people have access to customized knowledge they need to make better decisions and achieve better results.  The “cybersecurity intelligent playbook” will no doubt need tools that will empower the Head Coach and enable all appropriate personnel to have secure accessibility to theirRead More →