CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for Crucial Point LLC

Crucial Point LLC

What The Board Needs To Know About the GDPR

Executives in businesses around the globe have been tracking The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect 25 May 2018. Those who operate primarily in the EU have had plenty of time to focus on this and no excuses for not paying attention. Those who operate primarily elsewhere also have no excuse to not be aware of the GDPR and should have already assessed how things should change because of these new rules. We have found, however, that many firms in the EU and the US and elsewhere are still not paying enough attention to these very serious rules. Admittedly our sample size is small and this may not be reflective of the majority of firms, but we have seen indications that many firms are adopting a strategy of putting their collective head’s in the sand or not really doing a serious assessment of the potential impact of GDPR on the firm.

The objective of these new rules is to improve privacy and security of critical personal information. The rules are also designed to harmonize many different rules active across Europe and this should make overall compliance easier. But still, for most, compliance will require changes be put into place for how data is stored and also changes put in place for how people can be put in control of their own data. Remember, the GDPR is not just about firms that operate in the EU. It applies to firms that have data on EU citizens. The GDPR requires that to collect info on EU citizens, the citizens must give their consent and the citizen also has the right to be forgotten. The data it applies to is broad, including even IP addresses.

At this point, just 20 days away from the compliance deadline, we recommend all firms do three things:

  1. Read the rules yourself. They are not that hard to read and think about
  2. Consult outside counsel. Pick a law firm you know and trust and ensure they have knowledge of the GDPR. Ask us if you need some recommendations.
  3. Seek an external review of your technical architectures for compliance. Our firm, Crucial Point, is a good place to start here.

We recommend that boards (including Audit Committees for those that have them) should evaluate their company’s data retention activities and policies to see if they are in need of modification to comply. Boards should ask CEOs and the management team to assess where exposure to GDPR non compliance is greatest and prioritize actions to fix. Boards should ask questions to determine if line of business leaders realize they are responsible for compliance vice just assuming this is an IT function. And boards should know who the Data Protection Officer (DPO) is for the firm.

Here is more on the GDPR:

  • Fines for non-compliance are up to 4% of annual revenues.
  • Customers must consent for processing of their data
  • Personal data must be protected. This includes anything related to a natural person or anything that can be used to indirectly identify the person. This includes names, photos, email addresses, bank details, addresses, posts on social media sites, medical info, IP addresses
  • The rule describes a new position, a Data Protection Officer (DPO), which will be required for firms that do large scale monitoring or processing of sensitive data
  • Consent of users is required and it must be asked for and granted in specific ways before collecting and processing data.
  • Citizens are given new authorities over their data including right to have it removed (a right to be forgotten)
  • Data protections are expected to be designed into systems
  • If there is a breach of personal information, the citizen will be notified and impact assessments done
  • Transfer of data to other countries and organizations is regulated
  • Companies are expected to maintain a state of the art cybersecurity architecture and posture

We can accelerate your compliance with GDPR and do so in a way that helps your security posture.  Contact us today and see if we can help you accelerate your compliance.

Additional reading:

Government Matters TV Explores Email Security Standards, DoD IT and Cloud Security with Bob Gourley

The Global Cyber Alliance continues to coordinate smart guidance, tips and approaches for improving security posture. They are an international, cross-sector organization designed to confront, address, and prevent malicious cyber activity (it is led by the gracious and sociable cyber champion Phil Reitinger).

Their most recent report is titled “Top Federal IT Contractors Leave Emails Vulnerable to Phishing, Spoofing.” It is the result of a study of the use of a special email protocol called DMARC by the top federal contractors (DMARC stands for Domain-based Message Authentication, Reporting and Conformance). Basically this is a widely accepted set of configurations and protocols that can help organizations make sure their domains are not being spoofed by bad guys. Setting up DMARC is pretty easy, and once it is put in place it is harder to have your domain used for phishing attacks against others, and is a little easier to protect your own employees from some kinds of tricks.

With the release of their new report, I was asked by Government Matters TV to provide some context on the report.

Before doing so I did a bit of my own research using the simple to use tool at https://dmarcguide.globalcyberalliance.org/#/

I typed in the domains of every major defense contractor myself. Like the Global Cyber Alliance I found only one of the top 50 was in compliance. I was so excited to find it was the team at Carahsoft who had put this in place. I had the pleasure of telling that to Craig Abod of Carahsoft in person today. Craig knows the importance of this to keeping trust with partners and customers in the ecosystem. I know others in the community also aspire to be as trusted as Carahsoft and imagine we will see many others follow suit soon. I would also recommend that anyone in the federal ecosystem, in or out of government, that wants tips on how to implement DMARC should reach out to Carahsoft. They have the experience to get you started on that right away and can also recommend software tools to help make it iron clad.

I was asked to provide context on this for GovMattersTV. For more see the video at this link and below:

The video also provides some context on suggestions of a consolidation of DoD IT and on lessons from the RSA conference, and mentions the Cloud Security Alliance.

 

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

It can be really hard for the government to share information with citizens and businesses, for many reasons. We all wish it was easier, but the fact is that complex rules and regulations and the need to operate with some degree of certainty combines with the need to protect sources and methods. Everyone in the community wants things to improve, but I know for a fact some of the greatest people have been working hard to improve this and it is really hard. It can also take time before information is of a quality to be shared, and that can mean that attacks from adversaries that are underway can make great progress in their nefarious activities before the government alerts. Proof of that is a government announcement titled Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. They are not sugar coating this at all are they? This is a pretty clear declaration that Russia is not just surveying our networks, but conducting cyber attacks to break into them.

The bad news is that the report says the government has been investigating this since 2015.

Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.

This is a global investigation involving the DHS, FBI and the UK’s National Cyber Security Centre (NCSC). And it may well be that there was not enough info to release till now. I also think many investigations end up going through historical data to piece together a bigger picture, and it could be that this assessment just came together recently. But still, we should all push for faster action here.

But the good news is that the report provides a great deal of technical information that can be used by companies to help configure their devices to reduce the impact of these attacks. The report does far more than just encourage patching (which of course is important). It gives technical advice that can help tech teams implement better security. That is a positive.

It is also important to mention that raising defenses by properly configuring devices is a relatively low cost activity. Additionally, this does far more than make it harder on Russian bad actors who seek to attack. It can also slow down Chinese state sponsored actors who wish to steal.

My hope is that this will also inform U.S. technology vendors, who can take steps to help ship their devices with more secure configurations.

For more see: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices.

My recommendations to raise your defenses to counter nation-state attacks:

Invest in some help to ensure your technology is appropriately configured to make it as hard as possible on adversaries, regardless of where they are from. Better configuration of your existing IT is a very low cost activity but will give very high returns. A small investment will reduce risk. The configuration guidance from DHS/US-CERT is a great place to start, but external security experts who really know how to configure and test the configurations is important.

All organizations should also consider joining the Cloud Security Alliance (CSA) to help learn the latest best practices. One capability that came out of the CSA is a Software Defined Perimeter (SDP). Actually this approach had its roots in the government tech community, and I know it to be a very secure way to operate.

Reduce the threat of nation-state sponsored cyber attacks including those involving hardware that has been tampered with or malicious code on IoT devices by leveraging the capabilities of PFPCyber.

For more on these topics see the CTOvision Guide to National Security Technology and

What Executives Should Know About Ethereum

Bitcoin was the first implementation of a working blockchain technology. The idea has been built on with several other implementations. One of the most exciting is Ethereum. In some instances Ethereum’s coin, Ether, is compared with Bitcoin, and you see both cited in cryptocurrency value listings. But Ethereum’s implementation of blockchain goes far beyond the one behind Bitcoin.

Ethereum is also a way of running distributed applications. Applications can be programed to leverage the Ethereum blockchain in ways that bring the power of an open and secure distributed ledger and data store to bear in very powerful ways.

What Should Executives Know About Ethereum?

At a minimum, we recommend everyone, especially executives, know that Ethereum provides a fabric for distributed applications. For most it will also be good to know a few other details, but that is the most important point.

What Should I Know About Ethereum?

Ethereum is an open-source, public, blockchain-based distributed computing platform and operating system featuring smart contract functionality. There is a cryptocurrency built on this framework called Ether that can be bought/sold/traded and mined like Bitcoin, but Ethereum is an environment that can also be used by any programmer to create coins or other applications that leverage the power of the global Ethereum network. This is what is kicking the world of distributed computing into high gear.

In general, there are three types of players in the Ethereum ecosystem:

  1. Users
  2. Developers
  3. Miners

Users: Anyone can be a user of Ethereum. You can buy and sell Ether at Coinbase, can trade Ether or other Ethereum based tokens on coin exchanges, and can interact with smart contracts and functions of companies that offer Ethereum-based functions like smart contracts.

Developers: Most anyone with some programming or CTO experience can be an Ethereum developer. The language of Ethereum distributed apps (Solidity) is very easy to learn and there are many tutorials to get you started.

Miners: Miners are those that have decided to provide computing power to make the distributed apps work in return for rewards of Ethereum (Ether) or other crypto coins.

Some recommendations:

  • Open a Coinbase account. It is easy to do. And if you use it to invest at least a small amount of funds it will motivate you to track the dynamics of cryptocurrencies. It will also make you more fluent in many aspects of Cryptocurrencies.
  • Sign up for an account on the cryptocurrency enabled Earn.com. The reason to do this is their tight connection to the cryptocurrency startup community. Leaders in the community are looking for savvy users to inform of their startups and are using Earn to find thought leaders. They pay you to read their messages (you can donate that payment to charity or keep it yourself). My view is that any startup that is vetted by Earn and will pay to have me read a message deserves to have the message read and so far I have not been disappointed, it is a great way to learn what is going on in the community.
  • Read over the main page at Ethereum.org. It does a great job of describing what is possible in a very clear way. And if you are feeling daring, work through some of the tutorials there (if you build a coin let me know, I’d love to see it).

We have much more to write about cryptocurrencies, blockchain and distributed apps. Be sure you are on distro for our newsletters so you don’t miss the next update. Sign up at CTOvision Newsletters.

Other Reading on Ethereum and Bitcoin:

What Should Executives Know About How Blockchain, Smart Contracts and Cryptocurrencies Are Disrupting Business?

https://ctovision.com/oodaloop-nails-it-again-with-reporting-on-bitcoin-price-manipulation/

Why Bitcoin Continues to Rule the Cryptocurrency Market Despite its High Volatility

From Crowdsourced Militias to Dread Bitcoin Pirates

What You Need To Know About Bitcoin: Including potential new business models to consider

Recent Reporting on Cryptocurrencies:

What You Need To Know About Bitcoin: Including potential new business models to consider

OODAloop nails it again with reporting on Bitcoin price manipulation

Today Every Company Buys Electricity, Tomorrow Every Company Will Buy Ethereum

Smart Cities Cybersecurity Challenge

Blockchain Templates: Amazon Making Technology Mainstream

How Cryptocurrencies will go from The Technologically Savvy, into the Everyday Transactions of Consumers

What Should Executives Know About How Blockchain, Smart Contracts and Cryptocurrencies Are Disrupting Business?

Cryptocurrencies and their promise for enterprise technology professionals

What Should Executives Know About How Blockchain, Smart Contracts and Cryptocurrencies Are Disrupting Business?

One hundred percent of board of directors and other executive leaders I interact with know of the blockchain. Not all are fans of cryptocurrency, but all seem to be deeply interested in exploring the business impact of the distributed ledger that makes cryptocurrencies work.

There are quite a few interesting use cases out there. Some may hold great potential. But there are also lots of interesting ideas that once you start asking questions don’t make so much sense.

To help you ask the right questions, this article provides some executive level context on what the blockchain is.

At a high level, consider blockchain technology as a system that lets you distribute a ledger that records data and, depending on how it is implemented, can let everyone see the data in ways that prove its accuracy. Some blockchain technologies can do even more than that. Some solutions can provide blockchain capabilities just inside an enterprise. Some can provide ways to program contracts and monitor their execution.

What that as an introduction, here is my view of the things every executive should know about blockchain enabled technologies:

  • Executives should have at least a basic understanding of how the technology works, including the technology of the blockchain behind bitcoin and the blockchain and computing fabric behind Ethereum, which is much more powerful in producing smart contracts. There are some good books on this topic. One we recommend is: Digital Gold: Bitcoin and the Inside Story of the Misfits and Millionaires Trying to Reinvent Money
  • Executives should have a clear understanding that investing in cryptocurrencies is different than investing in blockchain solutions for your business. Investing in cryptocurrencies is a special topic and may also interest you (we recommend everyone open a Coinbase account and put at least a tiny bit of money into some of the currencies there), but for most companies the big investment you will want to make is in developers who can program blockchain enabled solutions (get your tech team learning the tool called Solidity).
  • Executives should know that the use of the term “smart contract” in a blockchain context refers to computer programs that can be written to directly control the transfer of value when certain conditions are met. Smart contracts digitally facilitate, verify, or enforce the negotiation or performance of a contract, all without third party involvement.
  • Although the blockchain will disrupt many industries, the one which may see the biggest impact fastest is the financial sector. Executives in this industry already know this. But all of us who are their customers also need to be thinking through this disruption. We can have a voice in how our financial services providers serve us and should be pushing them to do so smartly with blockchain enabled solutions.
  • Executives should also be on the lookout for new capabilities from venture capital funded companies that can leverage the blockchain to accelerate or improve business functions for your own company. If your competitor works with a firm like this but you do not you could be losing out. If you leverage a partner before a competitor does you can beat them in the market.
  • Consider the impact that blockchain technologies can have on your current company strategy. This is especially important if you are a board member or CEO. You should ensure your entire management team is smart enough on what the concepts are to be able to have intelligent discussion on coming opportunities and threats.
  • Consider ways that smart contracts and blockchain technologies can improve your internal systems. Developers who know how to program blockchain solutions can provide applications that work inside your firm but deliver similar strong benefits as those that run on the public blockchain. We have seen proof of concept solutions like this already and are also seeing a rise in new commercially supported solutions that will soon be available for HR, Admin, Supply Chain Management and even cybersecurity.
  • For executives in technical domains (the CIO, CTO, CDO, CISO), you will find it easy to work through tutorials that show how to build blockchain solutions yourself. I’ve built my coin and learned quite a bit in doing so. Building a coin has become the “hello world” of the new blockchain coding world, and doing that will give you more food for thought.
  • As hinted about above, executives should also be ready to ask questions regarding any proposed solutions that leverages a blockchain technology. Ask, for example, why it is better than a solution that involves a modern database with smart encryption.

Maybe the most important recommendation for executives: View the blockchain with excitement! And channel that excitement into action to improve your business.

CTOvision will be providing more context on this topic in our newest category, Cryptocurrencies and Blockchain. To ensure you never miss a post, be sure to sign up for our newsletters and you will be alerted when we publish.

Recent Reporting on Bitcoin:

What You Need To Know About Bitcoin: Including potential new business models to consider

OODAloop nails it again with reporting on Bitcoin price manipulation

From Crowdsourced Militias to Dread Bitcoin Pirates

Today Every Company Buys Electricity, Tomorrow Every Company Will Buy Ethereum

Smart Cities Cybersecurity Challenge

Blockchain Templates: Amazon Making Technology Mainstream

How Cryptocurrencies will go from The Technologically Savvy, into the Everyday Transactions of Consumers

What Executives Should Know About Ethereum

Cryptocurrencies and their promise for enterprise technology professionals

Cybersecurity Context From Four Top Experts: Rich Baich, Bill Crowell, Anthony J. Ferrante, Jeremy King

CSO Online has just published an interview conducted by  Jeremy King where Jeremy pulled together thoughts and inputs from Rich Baich, Bill Crowell and Anthony J. Ferrante. I’ve tracked these three leaders for years, and have served on boards with Crowell and have witnessed his leadership style and insightful approach to creating workable cyber risk solutions first hand.  I have also long worked with Jeremy King, a well respected, well connected leader and the founder of Benchmark Executive Search.

From the intro to the interview:

As 2018 has arrived, I am honored to have a discussion with three of the most prominent SMEs in the world of cybersecurityRich Baich, Bill Crowell and Anthony J. Ferrante. These experts come from different aspects of the cyber ecosystem and will offer perspectives as a top Fortune 50 CISO, leading cyber venture investor, and a cyber practice leader at top consultancy who was a Chief of Staff of Cyber at FBI. Their answers that follow offer advice on some of the market trends, key issues and innovative solutions that encompass the future of information security. It is worthwhile keeping their comments as a source reference for the board/C-suite and anyone charged with corporate asset protection.

Continue reading at: 3 Top Cyber Experts Speaking Out

Enterprise Security and Functionality Benefits of the new Software Defined Perimeter (SDP) Approach

The dynamic nature of today’s IT Operations has eroded the network perimeter in ways we have all been watching and even cheering on! This is a new world of mobility, cloud computing and rapid partnering for success.

But the erosion of the network perimeter is making traditional security a roadblock to efficiency. No one wants to allow holes to be poked in the security system but no one wants to shut down connectivity to partners either.

The Software Defined Perimeter uses software techniques to render the internal environment invisible to all outsiders, unless trust is granted. Secure connectivity is provided only to trusted users and devices. The SDP approach was pioneered by proven enterprise IT, cloud computing and security experts working collaboratively together under the Cloud Security Alliance (CSA).

SDP Combines:

  • On-device authentication
  • Identity-based access
  • Dynamically provisioned connectivity

Key benefits of this approach include the following unique security properties:

1) Information Hiding

No DNS information or visible ports of protected application infrastructure. SDP protected assets are considered “dark” as it is impossible to port scan for their presence.

2) Pre-authentication

Device identity (of the requesting host) is verified before connectivity is granted. Device identity is determined via a MFA token that is embedded in the TCP or TLS set up.

3) Pre-authorization

Users are provisioned access only to application servers that are appropriate for their role. The identity system utilizes a SAML assertion to inform the SDP Controller of the hosts’ privileges.

4) Application Layer Access

Users are only granted access at an application layer (not network). Additionally SDP typically whitelists the applications on the user’s device – thus provisioned connections are app-to-app.

5) Extensibility

SDP is built on proven, standards-based components such as mutual TLS, SAML and X.509 Certificates. Standards based technology ensures that SDP can be integrated with other security systems such as data encryption or remote attestation systems.

For more information on this approach contact us

Leveraging The FFIEC Cybersecurity Assessment Tool (CAT) To Improve Corporate Culture and Raise Security Posture

The FFIEC (Federal Financial Institutions Examination Council) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

For the last several years the FFIEC has been making contributions to cybersecurity awareness, including initiatives aimed at helping financial institutions better understand and deal with cybersecurity risks. In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. In addition, the FFIEC began assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators’ examination procedures and training that can be closed to strengthen the oversight of cybersecurity readiness.

On 30 June 2015 the FFIEC released a new Cybersecurity Assessment Tool. This tool is intended to help financial organizations large and small better assess and understand risk and also the organization’s maturity in cyber defense.

We have worked with financial institutions and other high risk organization in cyber security assessments for years and have seen first-hand the benefits that the FFIEC approach can provide to organizations. We have also captured many lessons learned from our engagements across the financial (and other) sectors regarding this approach. We share some of those lessons here:

  1. The most important lesson is to understand that the FFIEC CAT should not be seen as just a compliance drill. Regulators will check you for compliance and that is very important. But if used correctly it can also help an organization become more efficient, effective and more secure.
  2. The tool is meant to help and is not designed to be a one-size-fits-all approach. It is best when tailored to your specific organization.
  3. The most important determinant of whether or not the tool will work for you is the attention it gets from senior leadership. And getting their attention means approaching it with the vision of leveraging it to support and enhance business functions. In the financial industry that usually means focusing on enhancing trust among customers and partners.

Here are more thoughts:

The tool has two parts. The first assesses the institution’s inherent risk profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

It is this first section that is the most problematic. It seeks to quantify cyber risks in a very simple way, and this is actually a very complex and hard to measure/quantify topic. On top of that, the best topics to address regarding risk are going to vary significantly from company to company, and even division by division for larger firms. Perhaps this first section can just be thought of as a rough plan to deviate from. It can be an important drill to seek to assess cyber risks, of course, but it seems both arrogant and naive of the FFIEC to think that they can produce a matrix that captures risk for every organization. Since most organizations in the highly regulated financial sector will already have a chief risk officer and many risk processes around cyber, maybe this section should just be offered as a template of considerations.

The second section of this tool brings some good ideas and approaches to evaluation of the organization’s Cybersecurity Maturity five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

This is were the tool can make contributions to many organizations. The descriptions and definitions for each of these domains and then the assessment factors in each domain are useful, especially for organizations that do not already have an approach to cybersecurity.

 

 

 

 

 

More Content

Cyber War

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]