CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for Cyber War / Cyber Security

Cybersecurity Is Not Just About The Tech

Cybersecurity may well be the most important function in the modern world. Without it, nothing else can be trusted, in any sector of the economy.
hacking-detected-shutterstock_188832089Cyber Security is far more than just protecting data. Security is about protecting the functionality of IT. It involves confidentiality, availability and integrity of resources. This higher order approach to cyber security requires vision, leadership, and actions in dimensions of people, process and technology.
 We also need to draw your attention to the higher order concept of Cyber War. This is, unfortunately, something all technologists should be familiar with now. The most critical piece to read on that topic now is Now That You Are A Soldier In The Cyber War You Must Know Your Cognitive Biases followed by: Main Street Cybersecurity: Can Email Be Safe? and Time for Transformational Cybersecurity!

Stay In The Loop: Sign Up To The CTOvision Daily

When it it time to research the great providers of Cybersecurity Solutions, kick off  your search in the CTOvision Disruptive Technology Finder. Pay particular attention to the sections on Cybersecurity, CASB, Cyber Threat Intelligence, and VPN.

For help putting all this information into context for your business, consider tapping into Crucial Point's CTO-as-a-Service or Technology Due Diligence offerings, both are ways to quickly leverage the technical talents of experienced enterprise technology professionals.

This One Little Configuration Change Will Make It Harder For People To Steal Your Information

Editor’s note: We are aiming this tutorial at the non-technical person. Please share with anyone in your life who could benefit from this. -bg

Cyberspace is a complex domain and our adversaries are always seeking new ways to steal information or spread their malicious code or hold our data for ransom. This is the big reason why there are no silver bullets in cybersecurity. There is no single thing you can do that will stop all attacks.

But there are things you can do that make a huge difference. One in this category is changing your home and office DNS configurations.

What is DNS (Domain Name Service)?

DNS

Have you ever seen a picture of an old fashioned telephone operator? The operator played a critical function in establishing a global telephone network where any phone could talk to any phone. When a person wanted to make a call, they connected to the operator and the operator would either connect the person directly to the other party or connect through other banks of operators. Without this ability to switch and connect physical wires together, phones would never have worked.

All of that has been automated now. When you dial a phone number, computers figure out the smart way to connect your conversation with the right party.

The Internet only works because it has a similar automated system. This system is orchestrated by something called DNS (short for Domain Name Service). Every device you have, indeed, every device on the Internet, uses DNS to determine how to route information to other devices.

When you buy Internet service for your home, your Internet Service Provider automatically configures a DNS service for you. And when you authorize any device to join your home network, your network and your device are smart enough to automatically configure themselves to use your ISP’s DNS service. It all works so smoothly that you almost don’t need to think about DNS at all.

But it turns out there is good reason to consider how you configure your DNS. If you configure it correctly, it can be an important part of your defense, helping keep bad guys and their software from attacking your systems.

Consider for example, the example of the old fashioned phone operator. What if you were receiving a call from someone you do not know, and before connecting the operator gets on the line with you and says “Based on our historical records, the person calling you has a record of conducting fraud and they are probably going to try to deceive you.”  That would have been a nice feature back in the day.

If you configure your DNS properly, you can put features like that, and far more, at your command. Depending on which DNS features you want and which provider you select, you can use a managed DNS service to speed up your web browsing. You can also use it to make customized filtering decisions for your home system (for example, you can tell it that no one should have access to certain types of sites). You can also use managed DNS to prevent viruses and other types of malicious code from communicating with their bosses (their control servers), which can help reduce the chance that your information will be stolen from malicious code.

Also, consider again the example of the telephone operator. Imagine an operator who was working with a criminal. A caller might dial the operator asking to be connected to the bank, and the malicious operator might really connect the caller with a criminal group for further fraud. Traditional DNS has weaknesses like that. With certain types of DNS attacks an adversary can make you think you are going to a favorite website but can re-direct you to a bad one, perhaps to steal your login info or to download malicious code. This is another very important reason to use a managed DNS service.

There are cautions to consider when selecting a DNS provider. Some DNS providers collect information from you in ways that may creep you out. For example, if you select the free DNS service from Google, although there are privacy protections, they will be aggregating even more data on you and your browsing habits. It is free and offers protection and is backed by a company with incredible engineers, but you will give up some info you might want kept private.

Here are four options to think through:

  • Google Public DNS: Google is doing a great service for the world with this free DNS resolution service. This will speed up your browsing, improve your security, and get you results with no redirection. But guess what? They get something out of it too. They get data. Their DNS resolver is at the address 8.8.8.8.
  • Quad9: In association with the Global Cyber Alliance and Packet Clearing House and a consortium of industry and non-profit contributors, Quad9 provides a DNS service designed with privacy and security in mind. This reduces risk, speeds browsing, and since it is being fielded by a non-profit there is no collection of personally identifiable information like some other providers. DNS address is 9.9.9.9.
  • Nuestar UltraDNS Public: This was formerly the Verisign public DNS. They provide multiple levels of service for home and business use.
  • Cloudflare: In April 2018 Cloudflare announced a free to use DNS service called 1.1.1.1, which is their DNS address. They have optimized their DNS for privacy and speed.

Which of these is right for you? This is your choice. For me the choice is Quad9 because of their security and privacy features. But if you are looking for more features, consider Neustar. Their free service is good and their paid offerings with fuller features give you incredible power over how your systems access the net.

But back to Quad9, here is what they say about their security features:

Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting to malware or phishing sites. Whenever a Quad9 user clicks on a website link or types in an address into a web browser, Quad9 checks the site against a list of domains combined from 19 different threat intelligence partners. Each threat intelligence partner supplies a list of malicious domains based on their heuristics which examine such factors as scanned malware discovery, network IDS past behaviors, visual object recognition, optical character recognition (OCR), structure and linkages to other sites, and individual reports of suspicious or malicious behavior. Based on the results, Quad9 resolves or denies the lookup attempt, preventing connections to malicious sites when there is a match.

It’s worth noting that Quad9 doesn’t just use IBM’s threat intelligence – there are 18 other combined feeds that make up their threat blocking, which is fairly unique and gives a cross-section of blocking abilities from some of the world’s best threat management organizations.

Now how might you implement DNS at home? Each of those services is going to give you very easy to follow tips for using them, and the methods are really the same for any DNS provider you use. You will change the DNS entries on your home router, and you will also change the DNS settings on your mobile devices and computers. It is all quite easy.

Tips for Changing Your DNS:

  • You have options on how you want to do this. The easy and fast option is to change the DNS that your router at home or office uses. At home when you purchased cable or fiber or other comms the ISP installed a router. They gave you a way to log into it. If you forgot how, you can probably look on the bottom of the box and it will give you an IP address (probably 192.168.1.1 or 192.168.2.1) and default login. So you should be able to log into it from any of your computers and change some configurations. It is a best practice to note what the DNS settings currently are (just in case you want to change back). Change the default DNS to be the address from the provider you selected (for example, 9.9.9.9).
  • Changing the router at home or office will be good for any device you connect to there. But you can also tell your devices what DNS to use. This comes in especially handy for the traveler.
  • For mobile devices, look under your Wi-Fi settings and update the DNS entries there.
  • For MacOS laptops, go to settings and select “Network”. Select a network interface from the sidebar and click advanced. Click the DNS tab and click the + button to add a new DNS server. Then enter the new DNS numbers.  Here is a video of how to do it for Mac
  • For Windows laptops/tablets click the Start button and then control panel. Under Network click View network connections. Then right-click the connection you want to change, and click properties. Click either IPV4 or IPv6 and click properties. You will see where to enter the DNS numbers. Here is a video for how to change DNS for Windows.

Do you have lessons learned or best practices you can share regarding reducing digital risk. We would love to hear from you. Reply to any of our emails or contact us here.

We have built a collection of tips and best practices aimed at reducing your digital risk. Find them at the OODALoop Members Resources site.

Looking for something more hands-on? OODA provides technical services including  CTO-as-a-Service and CISO-as-a-Service support, we would be glad to lend a hand.

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human cognitive biases are at play. Most people have a long studied desire to prefer the status quo. If this is what was always thought, why think differently?

They are not the only groups of humans to stay anchored to old ways. For years nutritionists believed that all calories in food are the same, including all forms of sugar. This led to the conclusion that we might want to watch calories overall but sugar is great. Now that obesity is an epidemic and diabetes the fastest growing disease in the world, most professionals realize that too much sugar is bad. But even after it was discovered that Harvard medical researchers were paid to lie in studies about sugar, humanity is still almost totally ignoring this topic. Clearly there are cognitive bias issues here too.

The technology community is not immune to getting stuck with an opinion and not wanting to shift, even in the face of evidence. One of the big ones is that you need to use a personal VPN.

In 2010 it was good advice to recommend a VPN for personal use. But in my view, any technologist or security professional recommending that now should be ashamed for not keeping up with the enormous changes in technology over the last decade.

The rest of this post will dive a little deeper into the topic.

To summarize up front: For almost every use case, the only reason to use a VPN is if you are using one provided by a business that requires you to use it to access corporate resources. Some also use VPNs so they can access content that is restricted by geography.  You do not need a VPN for your home or small business use, even when using public WiFi. Personal VPNs just don’t add value to your security posture.

What Some Of The Experts Saying About VPNs:

A sponsored piece at CNN says “A VPN is vital when working from home“. This piece, written in the form of a CNN article but apparently paid for by a VPN provider, claims that data that flows from your computer to the Internet is open and accessible to anyone who can intercept it (this statement is false). They also say that without a VPN, anyone with the right tools can intercept passwords, banking information and everything else you transmit (this is also a false statement).

CNET tells us that “Anyone who wants to protect their privacy and security online should use a VPN.” This myth is all over the place, especially on sites where companies that provide personal VPN services advertise.

Gizmodo asserts that: “The benefits of virtual private networks, or VPNs, are well-documented: They keep you safer on public wi-fi ” This may have been true in 2010, but the technology of the Internet changed when Gizmodo wasn’t watching.

Norton explains that: “The encryption and anonymity that a VPN provides helps protect your online activities: sending emails, shopping online, or paying bills.” Another 10 year old view.

The highly trusted Consumer Reports claims that “Just about all security experts agree that using a VPN, or virtual private network, when you’re accessing the internet via computer or phone is a good idea. In particular, a VPN is one of the easiest ways to avoid getting hacked while you’re taking advantage of the free WiFi at an airport or library.” (This is also a false statement. Additionally, saying “Just about all security experts agree” reminds me of “More doctors smoke Camels.”)

An Attorney with the Federal Trade Commission discussing VPNs asserts that: “Public networks are not very secure – or, well, private – which makes it easy for others to intercept your data.” This was once very true. But not quite right anymore.

What I Say About VPNs:

You do not need to use a VPN if you are just trying to secure your personal Internet communications. If you have a well patched operating system and up to date applications, they already establish encrypted communications. Do to changes in standards, this is just the way the Internet and computers work now.

VPN companies would gladly sell you a VPN even if you don’t need one, but that may well just introduce more risk. And it does so while slowing your Internet connection and costing you money.

How Things Used To Be:

A decade ago having a VPN for your personal use was good advice. A savvy technologist could join a public WiFi network and capture packets and read information from other users, including logins, passwords, or even financial information, depending on what people were doing on the WiFi.  Soon as a way of showing how this could be done was coded into a browser plugin called FireSheep. The author of this plugin, Eric Butler, did a great service for WiFi security. By showing these vulnerabilities he motivated significant changes.

Other attacks possible in the old days included ways to trick your browser into thinking an attacker is the ultimate destination. The attacker sits in the middle of comms between the user and the ultimate destination and breaks the encryption and replaces it with his own. This is a “man-in-the-middle” attack.

What Has Changed:

In part due to problems of unencrypted traffic and man-in-the-middle attacks, the technology of the Internet and devices and applications have changed pretty significantly. Changes in the way the Internet and our systems work include:

  1. Massive (successful) investments in security from Apple, Microsoft, and Google. Zero day vulnerabilities and attacks happen, of course but the OSs and applications provided by these firms are much stronger than they have ever been, and the applications warn and stop browsing if attacks like the infamous man-in-the-middle (MITM) are tried.
  2. Massive engineering of applications used to access the Internet, including web browsers and email applications and all mobile apps to use secure communications.
  3. A massive move towards encryption of web traffic (HTTPS). All the top websites encrypt all their traffic, not just the login pages like many did 10 years ago.
  4. The invention of new web technologies, including a new method designed to defeat man-in-the-middle attacks and cookie hijacking. Chief among these protocols is HTTP Strict Transport Security (HSTS).
  5. Improvements to DNS security standards have also been made, including a protocol called DNS over HTTPS (DoH). This increases security and privacy by making it harder to know what websites a users is looking at and making it harder to manipulate DNS.
  6. Free certificates from EFF’s Let’s Encrypt project, and helpful tools like HTTPS Everywhere (highly recommended).

So, today Almost all web traffic is now encrypted. And if an attacker tries a man in the middle attack against your web browsing session you will get a warning and the comms will stop. The warning varies from Chrome to Safari to FireFox but all now prevent this type of attack by checking to see if the certificate that set up the HTTPs encryption matches the correct version maintained in trusted stores online.

What Will You See When Attacked:

Here is what you will see if an attacker is on your public WiFi and tries a Man in the Middle Attack:

 

 

 

Other Risks With VPNs:

VPNs come with their own risk. There are risks that the VPN company you have picked are not protecting your traffic the way the promised. There are risks that they are logging your info in ways they claim they are not. If you think you are using a VPN to protect yourself from government surveillance, they may actually be making it easier on the government to surveil you. (the EFF provides many great references on some of the issues with VPNs, including here and here).

Nothing is ever perfectly safe (this is about managing risk). But since modern applications set up encrypted channels already, we are at the point where personal VPNs do not seem to add anything that reduces real risk.

When Might You Need A VPN?

As previously mentioned, there are reasons for companies to require a VPN for remote employees. This type of VPN can be used to help companies ensure governance over their data and ensure only authorized users are accessing corporate resources. These also help companies that want to search traffic for malicious code. This corporate VPN needs to be managed and updated of course (see recent CISA statement of corporate VPN vulnerabilities being exploited during the Coronavirus crisis). But in general it can be very smart for a corporation to use this method for access to corporate resources. There are new changes in the offing here too, and VPNs are not the answer to every corporate need (corporate technologists should be closely tracking developments in the software defined perimeter and zero trust worlds, including Google’s Beyond Corp approach).

Many people recommend that journalists and activists and others operating overseas use a VPN, and there may be good reason to do this if operating in a hostile nation. However, the threat model there is very different. And in many cases, using a VPN there will just give a false sense of security. The hostile nation may well be reading all the VPN traffic and logs anyway. People in these situations need far more security than a VPN (including secure messaging systems).

Some people use VPNs so they can pretend to be using the Internet from a certain geography. This is certainly a good use case if you want to do that. But this does not add security.

But I have not seen any argument by a technologist familiar with how the Internet works today that says paying for a personal VPN makes sense for the average user or small business. It does nothing to improve your security or reduce risks in any meaningful way. In fact, it may actually introduce new risks.

Concluding Thoughts:

How could it be that so many security professionals are out there right now advising people at home or small businesses to use a VPN? I can only imagine they have not kept up with how the architecture around them has been changing. And of course no VPN company is going to say they are not needed anymore.  But the biggest reason is probably the same reason doctors promoted tobacco or we all thought sugar was ok. It is a bias towards the status quo by people who have not wanted to learn how the Internet has changed.

There are certainly many other important things to do to reduce risk. Chief among those things is using an up to date OS and up to date applications (see this list of tips to reduce personal risk and this list to reduce business risk).

And one final point: If the Chinese Ministry of State Security (MSS) or Russia’s Foreign Intelligence Service (SVR) wants to mount an effort against your Internet use, you have a different threat profile than most of us. But if you think a VPN will slow them down you are fooling yourself. If you need to mount a defense against them let’s talk, we can help, but a VPN is not the thing that will save you from them.

Travel Back To 1985 For A Guest Lecture By Commodore Grace Hopper on The Future of Computing

Thanks to the power of computing you can watch Commodore Grace Hopper delivering her landmark lecture at MIT Laboratory on 25 April 1985.

The entire presentation is excellent and worth listening to. But my favorite line is right around 23 minutes in, when after describing the nature of technology innovation she says:

“Probably the most dangerous phrase you could ever use in any computer installation is that dreadful one: ‘but we’ve always done it that way.’ That one is a forbidden phrase in my office.”

The entire lecture is full of her famous dry wit and humor, but also great advice. At around 31 minutes in she describes what sounds like an underground movement to start a newsletter. The people who did it, at her encouragement, just did it instead of following the rules. The did do one thing legally, she said. They got permission from Nabesco to get their permission to use one of their brands. They called their magazine, Chips Ahoy.

At about 33 minutes in she describes how one early computer advocate in the navy took the initiative of writing for the non technical person who needed to know about computers. She proudly mentioned how he wrote in plain english so seniors can understand and said:

“I would urge all of you please to write more stuff in plain english so we can feed it to admirals and generals and people like that. They don’t understand computerezze they need plain english and we have got to convert them in one way or another.”

Throughout the discussion she encourages leaders in technology to keep moving forward and innovating before asking permission.

At about 46 minutes in you will see her holding a piece of wire that is 11.8 inches long. If you are a Grace Hopper fan you know what this is about. But if you have not heard it directly from her yourself, this is your chance!

The rest of the lecture is full of laughs. But it was especially fun hearing her discuss how the instructions on shampoo bottles could use a re-write. Ha!

The presentation is available online at:

For more about Grace Hopper see her page on Chips (Yes the magazine her team created in still out there).

Related Reading:

The Short Story From Arthur C. Clarke Every Officer in Space Force Should Read and Heed

Lessons Learned From a Career of Technology Due Diligence

DIA’s “MARS” Project Achieves Key Milestone

Air Force Magazine Provides Insights Inside Scramble To Enable Massive Scale Telework During COVID-19

The No-Hype Guide To Quantum Computing You Need To See Today

Google Provides Formal Announcement on Quantum Supremacy

Announcing the Defense Intelligence Memorial Foundation (DIMF)

Potential Malicious Use Of IT By NASA Astronaut While On Orbit: Thought provoking but probably not hacking

Have you been numbed by constant reports of breaches? They get old for sure, especially since so many have at their core common issues that could have been avoided by application of best practices.

Now here is an interesting/new story: A NASA astronaut is accused of hacking her estranged spouse’s bank account from space

I have zero first-hand knowledge of this but have read the reports.

My assessment: The account in question was accessed from space. But not in a way that I would consider hacking. Looks like credentials were shared. That is a bad habit and may be in violation of the bank’s rules. But there certainly does not seem to be evidence of any sort of crime (if your spouse gives you their login and password and you use that is it a crime? What about when you are having difficulties? Does that make it different?).

If you did give a spouse access to an account and want to end that, revoke the access! Change the password. Better yet, do what the cybersecurity community has been advising for the last decade: use multi-factor authentication.

There are other key points this makes, however. For one, NASA needs to think through its cybersecurity policies and controls for on orbit and deep space missions.

We have been writing on this topic for quite a while. Most recently we produced a special report for OODA members on the Cyber Threat to NASA’s Project Artemis.

Because of this incident we will be updating that one for sure. It clearly needs to include a more implicit articulation of the insider threat and ways to mitigate that while platforms are in space.

This report, done for OODALoop members, is described this way:

NASA is enabling another giant leap for humanity. With the Artemis program, humans will return to the Moon in a way that will enable establishment of gateways to further exploration of not just the Moon but eventually the entire solar system. The initial expenses of the program will return significant advances for scientific understanding and tangible economic returns. As Artemis continues, the project will eventually deliver improvements for humanity that as of yet have only been dreamed of. But there are huge threats. For more see: The Cyber Threat To Artemis

If you have not signed up for OODALoop yet get in touch and I’ll give you a discount code to check this report out.

CISO-as-a-Service: When your enterprise needs cybersecurity expertise on demand

Your business operates in a world where there is an incredibly high demand for cybersecurity talent. Now with unemployment at a 50 year low there are no indications that anything can be done to dramatically increase the pool of cybersecurity talent.

Enterprise grade cybersecurity requires enterprise grade experience.

How do you get that in today’s business environment?

For many the answer is to leverage CISO-as-a-Service. By tapping into the expert talent of professionals at OODA LLC, you can put our team of experts on your side and take immediate advantage of our decades of experience in mitigating risks and meeting corporate objectives in security and compliance. Our experts come with deep experience in rightsizing security programs and reviewing security spend as well.

For more see: OODA LLC Security Services

A Common Language for Computer Security Incidents: The Cyber Defense Taxonomy That Started Them All

Cyberspace is our interconnected information technology. And since everything either is or is becoming connected, one of the defining characteristics of cyberspace is its complexity. This adds burden to cyber defenders. Defense teams require experience, education, training and a mindset that lets them continually learn. They also must forge broad teams across multiple subject and functional areas. An ability to rapidly collaborate and exchange data while in a fight is a must.

For years computer security professionals have sought the best ways to dialog on incidents, and some great foundational work has been done in this area.  This post reviews a work found to be of special relevance to today’s cyber defenders, a 1998 publication titled “A Common Language for Computer Security Incidents.”  This foundational work is important since it is a bit of a stage setter relevant to all the current work I see on standards for information exchange and even human dialog/discussion.

What is a taxonomy?

A taxonomy is a set of related terms. It is a classification scheme. How do you judge a good taxonomy?  It should meet several criteria, including being:

  1. Mutually exclusive – classifying in one category excludes all others because categories do not overlap,
  2. Exhaustive – taken together, the categories include all possibilities,
  3. Unambiguous – clear and precise so that classification is not uncertain, regardless of who is classifying,
  4. Repeatable – repeated applications result in the same classification, regardless of who is classifying,
  5. Accepted – logical and intuitive so that categories could become generally approved,
  6. Useful – could be used to gain insight into the field of inquiry

Caution: there is probably no such thing as a perfect taxonomy. They are all approximations of reality and therefore you will never have one that meets every criteria perfectly. But the characteristics above are good goals to judge the taxonomy by.

When it comes to cyberspace activity, the taxonomy presented by John Howard and Thomas Longstaff comes pretty close to meeting those goals which is why it is still so relevant today.

They define a taxonomy of terms in a way that can be logically and graphically expressed.

See, for example, the picture below:

incidenttaxonomy

This is from their report and it lets you related terms in a way that can help in dialog between humans and also help in automating information exchange.

The top line of words can be easily thought of as a sentence. Attackers use Tools against Vulnerabilities to cause an Action against a Target to achieve an Unauthorized Result to meet an Objective.

The details of their work spell out with clarify what the individual terms are and that is also a huge help to dialog. Over time there has been a little modification by operational users on some of the terms, and the adversaries in cyberspace have continued to change their craft and a few more terms have entered the lexicon.  But overall the framework is sound.

Since this first ground-breaking work the community has continued to improve on this notion, converting concepts into processes and standards and influencing the technology used in cyber defense. Some of the greatest work in this domain is coordinated by MITRE. I’ll make that a topic for future posts, but for an overview of their current work see: MITRE Cybersecurity Standards and especially the MITRE ATT&CK Framework. Modern defenders benefit greatly from these approaches. As you dive deeper into modern standards and frameworks for cybersecurity, keep in mind how it all began, with a great taxonomy from John Howard and Thomas Longstaff published in 1998.

More Reading:

For more on these topics see the CTOvision Guide to National Security Technology and

CTO Guide To The Business of Cybersecurity

Identity-SecurityThis is the CTOvision guide to the megatrend of Cybersecurity. This post provides a high level overview of key factors in cybersecurity that we recommend any technology professional should be familiar with, as well as insights that can help assess the near future of cybersecurity solutions. The report also captures insights from recent reporting done on the topic as well as information on cybersecurity vendors we track in the CTOvision solutions directory.

The Megatrend of Cybersecurity

We can make a prediction with absolute certainty: In the future, there will be times when adversaries will surprise even the most well defended organizations. History just makes that totally clear.

Said another way, cybersecurity in the future, like cybersecurity today, is a bit like a rodeo. Sometimes the rider will ride and sometimes the rider will be thrown.

We can also say this about the future of cybersecurity: When organizations are led by leaders that care they can make a huge impact in mitigating risks. Cybersecurity professionals know how to configure existing technology in ways that raise costs for adversaries and can also engineer things to make it easier to spot when an adversary has been successful. Experienced professionals know how to mitigate risks in ways that reduce risks, but what is sometimes missing is support from the most senior executive and/or peers to the security leadership. If the executive team does not really care, the security program will be sub-optimized. That is just a fact.

Cybersecurity In Relation To Other Tech Trends

Cybersecurity is especially important because of the newfound complexity arising in our systems. All the megatrends we review here, and everything we see in doing assessments in the market, point to dramatically enhanced complexity. And all indications are that tricking future systems will become easier not harder. Said another way, every trend we track, including Cloud Computing, Artificial Intelligence, Mobility, Bigdata, Robotics and IoT, all require more focus on cybersecurity. Without enhanced cybersecurity, none of those can be optimized.

A key factor in Cybersecurity

Bottom line: No organization should think they can handle their security needs by themselves. We will all need help.

A snapshot of the Cybersecurity trend right now indicates:

  • Some of humanity’s greatest thinkers, business leaders and computer scientists have struggled to enhance cyber security. Their approaches are not working.
  • Cybersecurity will have to advance or none of the other megatrends we review will be optimized.
  • Cybersecurity is especially important because of the newfound complexity arising in our systems.
  • Behavioral analytics is seen as a promising approach to enhancing our response
  • Machine learning and advanced analytics are also seen as promising approaches.

Open Cybersecurity questions decision-makers should track include:

  • Is humanity sleepwalking into a preventable catastrophe?
  • Will it be easier to trick future systems?
  • Will any organization be able to defend itself without help?
  • What is the role of behavioral analytics?

Cybersecurity and Due Diligence:

Due Diligence in Cybersecurity is one of the most important aspects of M&A.

  • On the sell side: Firms should take every effort to ensure they are in solid shape from an information security perspective before being offered for sale or seeking growth investment. Review and pre-sale diligence can make a massive difference in how well a firm will be valued.
  • On the buy side: Buyers should pay particular attention to how well the target understands their digital risks and how well they are governing their risk mitigation efforts. External and independent verification and validation of security policies and practices should include a review of the technical architecture, as well as the degree that the target is complying with appropriate compliance regimes.

Strategically, the acquisition of cybersecurity technology firms is also an art requiring assessment of how unique the capability is and how much in demand it will be in the market. We provide due diligence consulting in the cybersecurity domain via our parent company, OODA LLC.

Other Cybersecurity Reporting at CTOvision:

Latest Entries in the CTOvision Directory of Cybersecurity Firms:

[wp_show_posts id=”108839″]

There are seven key megatrends driving the future of enterprise IT. You can remember them all with the mnemonic acronym CAMBRIC, which stands for Cloud ComputingArtificial IntelligenceMobilityBig DataRoboticsInternet of ThingsCyberSecurity.

OODA Produces A Traveling Executive’s Guide to Cybersecurity

We have written before about the importance of all of us recognizing that we are in a cyber conflict. The fact is that we are all targets. We all have to keep our wits about us. This includes tracking the cyber threat and best practices to mitigate the threat.

A period of significantly enhanced vulnerability is during travel. It is especially important to maintain best practices when on the go, including, of course, when traveling overseas.

The team at OODA have just produced a reference of best practices for reducing cyber risk while on the go, including both business travelers and those who just want to reduce their overall risk while on mobile devices. The recommendations are provided in tiers enabling easy tailoring based on your threat model.

  • Tier 1:  The minimum essential cybersecurity best practices that should be incorporated into every trip and an executives’ daily cyber hygiene.
  • Tier 2:  Additional protections that should be put in place for travel to some countries or by organizations that want to adopt a more robust security profile.
  • Tier 3:  Advanced security practices for travel to high risk countries or for highly targeted executives.

See the full report at: A Traveling Executive’s Guide to Cybersecurity

 

 

More Content

Cyber War

OODA and Bastille Webinar: Finding phones, wearables and gadgets through Cellular, Bluetooth, Bluetooth Low Energy and Wi-Fi device detection

You can watch this webinar on demand at: https://www.bastille.net/webinars/finding-phones-wearables-and-gadgets The webinar features insights on how to find phones, wearables and gadgets through Cellular, Bluetooth, Bluetooth Low Energy and Wi-Fi device detection. In the webinar Dr. Bob Baxley, CTO at Bastille and Bob Gourley, co-founder of OODA LLC and former CTO at the Defense Intelligence Agency […]

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]