18 November 2012

DON'T ACCEPT SWEETIES FROM STRANGERS...

Google
[Updated 17th March 2013] Hello everyone! It’s been a long time since I wrote on this blog and I have to say, there have been so many interesting things happening that I haven’t really been able to make my mind up on what to talk about... What spurred me into action was a combination of various industry discussions and security conferences, the fact that lots of us are busily preparing for the festive season (or wishing they were!) and that all the children in my life are SO technically savvy...

6 August 2012

INFOGRAPHIC: THE SOCIAL MEDIA SIDE OF INCIDENT RESPONSE...

Google
For the corresponding February 2014 post associated with this infographic, see here)
It seems that my previous post on the social media side of incident response attracted some attention and I thank everyone for their feedback. This prompted me to explore the brave new world of infographics... So here we go, my first foray into what is for me unchartered territory. I've used Piktochart and I found it an excellent tool which means that anything you find lacking is of course entirely my fault rather than the tool itself. Your feedback, as ever, will be greatly appreciated!

24 July 2012

THE UNBEARABLE RISKINESS OF BEING... SOCIAL

Google
[Updated 4th August 2012]
The inevitability of social media in both our private and professional lives is undeniable. With social networks transforming the rules of business engagement, many businesses think the biggest risk of social media is the brand and reputational damage that could result from negative interactions or the potential disclosure of proprietary or sensitive information...

15 July 2012

FAILING GRACEFULLY...

Google
Sometimes, despite our best endeavours, things just don't work out the way we planned... 
You know the feeling: you think you have it all under control, you think you've engaged with the right people, you have buy in from those who matter, the right culture is in place, you're not struggling for investment and bang! you get hacked. Overwhelming sense of failure ensues. Where did it all go wrong?...

20 May 2012

THE SOCIAL MEDIA SIDE OF INCIDENT RESPONSE...

Google
[For the February 2014 version of this post, see here]
Not impressed with LinkedIn's social media crisis response after more than 6M user passwords got leaked recently or non-plussed with Dropbox's handling of their own crisis? Read on... In one of my February posts, I wrote about incident response and the importance of addressing the media in a timely manner. Whilst the NIST report SP 800-61 gives really good guidelines on the positive aspects of fully and effectively communicating important information to the public, I feel there is some mileage to be had by exploring the use of social media when tackling incident response. After all, we've all seen how quickly news can spread on twitter here or here... So, should you be breached, you would no doubt have a crisis communication process already in place, but does it include social media?...

9 May 2012

CLOSE ENCOUNTERS OF THE THIRD (PARTY) KIND...

Google
Phew... The last month was absolutely hectic, with all those conferences falling within the same short period of time! With all that, I was privileged enough to have been asked to speak at both Internet World and Infosecurity Europe. Two very different experiences... Whilst it is expected to be talking about security at an infosec conference, it is always welcome to be asked to present about security matters at an event with a different focus - in this instance, everything digital... (see my previous post on the subject). It was nevertheless surprising, walking the show floor at Internet World, talking to vendors and poring over the agendas in the various theatres, how little security featured. With everything about the show related to "cyber", not many had made the obvious leap to "cybercrime"... So, on the way to our Devil's Tower, our quest is still to find our curwen hand signs to communicate with the third (party) kind...

22 April 2012

WHO ARE YOU PREACHING TO ANYWAY?...

Google
I recently was privileged enough to be asked to present at a merchant forum in London. Interestingly, the intended recipients had been very much in the driving seat since they had selected the topics themselves. After my previous posts (Part 1 and Part 2) on connecting the dots between information security, risk and fraud, you can imagine my pleasure that I, alongside my fellow speakers, were asked to do just that... A delightfully interactive audience, some very interesting chats at the breaks and the recent buzz about the value of security conferences prompted me to share some thoughts on how actively to engage with your stakeholders and get the results you need...

9 April 2012

5 STEPS TO A SUCCESSFUL SOCIAL ATTACK - What's Your Threshold?...

Google
In a previous post, I highlighted that mass marketing fraud against individuals cost the UK economy £3.5 billion in 2011, that is ten time more than the cost of plastic card fraud in the same year, or equivalent to the total fraud losses incurred by the financial services sector in the same period! Sobering perpective, don't you think? We all know that mass marketing fraud is where criminals aim to defraud multiple individuals to maximise revenue by persuading victims to transfer monies in advance in exchange for promised goods, services or benefits. And we all know that this is usually done via mass-communications media (such as telephone calls, letters, emails and text messages) and ranges from foreign lottery/ sweepstake frauds through to ponzi schemes and romance frauds or any other abuse of trust... So, we all know better, don't we?... 

1 April 2012

FROM FRAUD TO INFOSEC and vice versa... Part 2

Google
In my previous post, I summarised the UK National Fraud Authority latest Annual Fraud Indicator and how it relates to information security. In this post, I delve further on this connection by further refining the key fraud enablers used to defraud victims of all types. These cut across the fraud landscape and often overlap which poses further challenges for quantifying their impact, but the classification is nonetheless helpful and recognisable.

FROM FRAUD TO INFOSEC and vice versa... Part 1

Google
In my last post, I attempted to give some real business metrics to help secure information security investment. One of those metrics set related to our ability to link infosec to fraud and in this post I’d like to examine the connection a bit further. Lucky for me, the UK National Fraud Authority have just released their 2012 Annual Fraud Indicator (readers beware, it’s 58 pages...), so with my infosec lens, I’ll take you through the report and hopefully give you some more KPIs to think about...

26 March 2012

VERIZON DBIR 2012 - some context...

Google
The Verizon DBIR 2012 was released last week and I am sure you have seen a lot of blog posts, articles and tweets on the subject... So let me try and put a different perspective on it: many of you will have heard me say that the DBIR is the “gift that keeps on giving”, and yes, it is! But as with every report, statistics and opinions always have to be put into the right context... The conclusions are not surprising, but there are quite a few little nuggets in the report that are worth examining...
To start with, I am glad to see that the analysis now offers some separate insights in relation to SMEs and larger organisations, as some of the issues can be different depending on size. The case load is also bigger this year (855 incidents compared to 761 in 2010) and known compromised records studied were also greater (3.8 million in 2010 compared to 174 million in 2011 - mostly due to the return of the “mega breaches” in 2011 after a relatively quiet 2010).

18 March 2012

THE INFOSEC INVESTMENT EQUATION: CAN YOU SOLVE IT?...

Google
I can’t believe my last post was on 4th March! I am positively thrilled that my most popular entry so far is the one about incident response... This means that we must be coming to terms with the fact that data breaches are a statistical certainty and how we handle them is what matters. Good news: this means we’ve got the attention we need. Now we need to convert this attention into the investment it requires. External statistics may give you the hook but, as abundant as they are, do not however make it relevant to your business when trying to secure the infosec investment you require...

4 March 2012

MANAGE RISK BEFORE IT DAMAGES YOU: PART TWO...

Google
In the previous post, I spoke about the importance of having an asset register and how crucial asset classification is. After all, not many of us have unlimited resources, therefore focusing investment where it matters most is the way to go. Whilst I was thinking about this, the link between changing the CISO traditional attitude and the necessity for risk management became even more apparent and I would like to expand on the trinity of “Asset, Technical Services and Business Need”...

26 February 2012

MANAGE RISK BEFORE IT DAMAGES YOU: PART ONE...

Neira Jones on Google+
After my part 1 and part 2 posts on incident response and the last post on cloud computing security, a number of you requested I talk about risk assessments. Since it’s currently my favourite topic, I am more than happy to oblige... First, a few facts:
  • Epsilon was breached in the first quarter of 2011. At the time, they built and hosted customer databases for 2,500 well-known brands and sent more than 40 billion emails a year on their behalf.
  • Not long after, the Sony breach ended up compromising personally identifiable information for more than 100 million of its customers.
Obviously, for both organisations, customer information is a key asset...

21 February 2012

UNDERSTANDING CLOUD SECURITY: PART TWO...

Google
I thank you for your attention on the previous post where we had a look at security considerations for the three main cloud service models commonly referred to as SPI (SaaS, PaaS, IaaS). As promised here’s part two looking at other cloud implementation considerations, namely:

  • Cloud deployment model: public vs. private vs community vs hybrid deployments,
  • Cloud location: internal vs. external hosting or combined,

19 February 2012

UNDERSTANDING CLOUD SECURITY: FINDING THE BOUNDARIES...

Google
It seems that my previous post on compliance and third parties struck a chord with a few of you... So I guess it’s about time I dedicated some time to “The Cloud” specifically! Over the past couple of years, we have seen a lot of hype and confusion as to what The Cloud really means and what it can do for you. I think we have now reached the stage where there is perhaps a bit of disappointment that The Cloud, due to inflated expectations, is perhaps not a miracle...

12 February 2012

COMPLIANCE IN THE DIGITAL ERA: WATCH OUT FOR THE 3rd PARTY...

Google
By 2015, there will be more than more than 15 billion interconnected devices on the planet, twice the world population. In that period, the total amount of global Internet traffic will quadruple. (Cisco(R) Visual Networking Index (VNI) Forecast (2010-2015), June 2011)
It is estimated that every year in the UK, identity fraud costs more than £2.7 billion and affects over 1.8 million people (National Fraud Authority, October 2010).
Every year, we share more of ourselves online...

8 February 2012

THE TRUTH BEHIND DATA BREACHES...

Google
I was pleased to see the release of the Trustwave 2012 Global Security Report as I find it always a very good source of information! This year’s report analyses 300 data breach investigations across 18 countries and, unsurprisingly, 89% of the breaches involved the theft of customer records, including payment card data and other personally identifiable information such as email addresses.

6 February 2012

INCIDENT RESPONSE & RISK MANAGEMENT GO HAND IN HAND...

Google
I was delighted with the level of interest generated by my last post on incident response so I thought I’d continue on the same theme... My thanks go yet again to the NIST report previously mentioned as I will explore some aspects of risk management and prioritisation that apply to incident response...

3 February 2012

INCIDENT RESPONSE – HAVE YOU GOT A PLAN?

Google
So, the National Institute of Standards and Technology (NIST) announced a couple of days ago the release for comments of draft Special Publication (SP) 800-61 Revision 2, Computer Security Incident Handling Guide. How very timely that was! With 2011 dubbed the year of the data breach, and the fact that it takes 3 to 8 months on average for an organisation to discover they have been breached, what better New Year’s resolution than to have an effective Incident Response Plan?...

1 February 2012

EU DATA PROTECTION LAWS – WHAT DOES IT ALL MEAN?...

Google
After yesterday’s post on data protection, I thought it would be logical to follow with some info on the EU proposal for new data protection laws...
17 years ago, the EU’s 1995 Data Protection Directive set a milestone in the history of personal data protection, and whilst its principles are still valid, the differences in the way that each EU country implements the law have led to an uneven level of protection for personal data. In addition, the rules were introduced when the Internet was still in its infancy and the digital age has brought with it increasing and sometimes unexpected challenges for data protection. With social networking sites, cloud computing, location-based services and smart cards, we leave digital traces with every move we make. Evidently, we now need a new set of rules that is future-proof and fit for the digital age.

31 January 2012

DATA PROTECTION AND ALL THAT – WHAT DO YOU THINK?...

Google
Well, January is nearly over and it’s time to look at all the research that’s been produced over the past year to try and draw meaningful and usable statistics...
I do this very selfishly before starting in anger on the conference circuit as I like to have up-to-date figures and stats in my presentations (and let’s face it, we all love numbers! ;-)
Today, I focus on the research produced by the UK Information Commissioner's Office (ICO) in the two following reports Report on Information Commissioner's Office Annual Track 2011 - Individuals and Report on Information Commissioner's Office Annual Track 2011 - Organisations.

30 January 2012

UK CARDS ASSOCIATION 2012 REPORT - WHAT YOU NEED TO KNOW...

Google
The UK Cards Association has just published its always eagerly awaited and oft quoted annual report for 2012 (http://www.buzzwordcreative.co.uk/UK-Cards-Annual-Report-2012/html/index.html#/1/) and I am pleased to see that the fraud trend is still on the decline, despite the staggering numbers:
  • At the end of 2010 there were 84.6 million debit cards; 55.6 million credit cards, 6.6 million charge cards and up to an estimated 3.0 million prepaid cards in issue in the UK.
  • Payment cards have become an integral and indispensable part of the UK economy accounting for over 8 billion purchases worth £428 billion in 2010, and accepted at almost 1 million retail outlets in the UK alone.
  • During 2010, 37 million adults shopped over the internet with plastic cards accounting for over 80% of spending, 717 million card payments and £54 billion worth of goods and services.

29 January 2012

THE RISE OF THE NEW CISO: RISK MANAGEMENT vs COMPLIANCE

Google
For those who didn't attend PCI London on 25th January 2012, I reproduce here the article I wrote for their magazine, I hope you find it of some use... :)
THE RISE OF THE NEW CISO: RISK MANAGEMENT VS COMPLIANCE
Last year at PCI London 2011, my article for this magazine was about the need to move from Compliance to Risk Management and I hosted a panel of industry experts from Visa Europe, MasterCard, the PCI SSC, IRM plc as well as representatives from John Lewis plc and the Home Retail Group. It was undeniable that retailers and merchants in general, have felt the need for some while to invest where business value can be derived. The concept of risk management, when it comes to looking at Payment Security, undeniably struck a chord!