What happened to cloud security by design ?
Does that mean that cloud by design is not secure ?
What happened to cloud security by design ?
Does that mean that cloud by design is not secure ?
To provide confidence and assurance?
– business can depend upon and trust our technologies
– business is not exposed to unacceptable risk
– business can meet its objectives and grasp opportunities
To protect business asssets?
– technology and are our use of it is ‘secure’
– information and our use of it is ‘secure’
To support the business objectives
– what is our mission?
– what are our strategic, tactical and operational business objectives?
Source: SABSA courses.
A lot of companies big names are falling victims of ransomware and I am afraid most of organizations are not well equipped to fight these new waves of attack and ending up coughing €£$.
Garmin felt victim to one of these attacks, and as a user of its services I was affected for a few days without sync my data to the right cloud services. Sorry to use this example but I couldn’t stop asking myself questions such as how are they backup and restore capability? If they fall victim to ransomware, what is their Cybersecurity defense posture? If they ending up paying the ransomware are they likely to be attacked again? And again?
I am not saying Garmin paid the ransom but other victims they do pay the ransom but the bad guys are not guaranteed to keep the words. All is known is they will attack again and ask for more €££. Make sure your backup and restore strategy works this time around.
you cant build the house on a sandy foundation so the saying goes. I am not sure who said that but it makes sense you cant build a 100-floors building on shaky foundation. The same is for your security career. You need to have the basic foundation for whatever path you choose whether being a pentester or a GRC consultant.
From Pentester’s view, you will need to understand how the computer, networks, applications, storage and cloud works at very rudimental and fundamental level. the good pentester is a crafty penetester just like an artist, picasso? Tools will help you but thinking in and outside the box is needed, that is only possible if you have the fundamental and know how the machine works.
That’s been my approach in my career and i could see some progress since when i started back in 2007. Know the fundamentals and keep yourself updated.
This might not be a good comparison, or one may think it is a weird one. For the past three decades technologists and cyber security vendors have worked hard to produce the best of the breed when it comes to technical security controls based on hardware, and now transitioning to sofware based or software defined alternatives. Around the same time the bad guys, whatever hat colour they wear, they have also been busy trying to poke holes on these controls, and they only need one good strike out of 1000000 tries. To be fair, they have been successful to say the least.
But what have slowly evolved is the Human firewall as defense, where organisations still believe hardware or software based firewall is the only good security controls to stop bad guys from the internet getting in their organisations. Well, if you have been counting, this is the long war, and every now and then the good guys may win , but playing a long game, the bad guys have an upper hand.
Regardless of advancement of technology, the human still remains to be the weakest link in the chain, and the organisations should invest reasonable well in fortifying the human firewall, because at the end of the day, you may have all the hardware and software good shiny updated firewalls, but if you dont have strong human firewall, you will always fell victim.
The other day a friend ask me how should one start a security career? What is the best path, course to study or security certification to go to? Well, my answer always starts with do CISSP certification. Why do I say that ? Why not ISO 27001 why not SABSA?
One simple reason, CISSP cover a lot of domains originally about 10 domains and now squeezed to 8 domains. CISSP to me cover a big ground and good for security generalist and a good introduction to security as predatory course. Second reason is CISSP requires a lot of effort, preparation and time investment to pass the exam. Even when one don’t pass the exam the knowledge gained is valuable and eye open to security world.
So that’s basically my simple reasons. Security over the years have matured and now you can be a specialist in any of the below field
– penetration testing and threat hunting
– incident response
– threat intelligence
– security operations and devOps
– secure development
– cloud security
– security architecture
– Governace, risk and compliqnce
– and many more. All these domains have their own certifications, so find your passion and develop your area of competence and be called an expert. I guarantee you it won’t be overnight success. Good lucky.
Most businesses prefer to outsource some of the services because of cost, or resources reasons or combination of both. Some of the outsourced services, requires special skills, but nonetheless the data outsourced still remains in the eye of the outsourcing company, simply the service provider retain the data and are trusted to be the good custodian and keep the data safe (so it is thought to be the case).
Most of the companies have ‘right to audit’ clause embedded in the agreements and this take a form of third part assessment, you can call spot checks or due diligence or whatever the name fit. Over the years, I have been involved with these sort of assessments, from onsite assessments to reviewing questionnaires or some just send their ISO 27001 certificates and say we are secure, dont worry about your data.
Whilst the effectiveness of the assessment is based on organisation’s risk appetite, personally I have problems with the questionnaire based, which most are self-assessment questionnaire, when the service provider provide response without attaching evidence. I believe onsite assessment provide more value and it is more evidence based assessment.Whilst the issue of costs might be a limiting factor to conduct these sort of assessments, I would take the approach of questionnaire with additional remote assessment via video conference facilities and additional evidence uploading to backup the response.
On the next post I will cover the below aspects of the third party assessment. (1)What needs to be assessed, (2) Framework (3) Frequency of the assessment
Nobody makes it alone to the top in the corporate world but I know there exceptions for those one-man army. Regardless how you made to the top or how you joined security professional I think you feel some sort of responsibility of giving back to the community and this is my motivation to give it back tot he community by means of mentoring young professional or those in their journey.
I welcome anyone that needs my advice, please reach me at kinyoka at hotmail.com
This post have been sitting on my draft inbox for about 3 weeks, when things werent bad as it is right now. The public data for UK, death numbers are in excess of 9500 as of 11th April 2020. No news of vaccine or way to contain the virus, but my hopes are high and to play my part I follow what the UK government advises us to do.
So back to our little infosec/cybersec world, I think there is more we can do to help from defense side, including make sure the bad guys are not taking this difficult moments to get better of the people and the organisations e.specially the hospitals and medical care communities.
This post is more about what we can learn from this pandemic, and I will update the lessons as we go along.
How you prepare for the event
This maybe the the time when you thing of your DR , BCP and IRP plans, and wish you could have tested them as frequent as possible. The sad truth, these plans are hardly tested or when tested at least annually to satisfy some regulatory requirements. So there you go, increase the frequency of testing these plans, you may not know when you will need them.
How you respond to event
-Now you have your plan, and you get them tested once a year, but how do you test them? table top? one scenario? excuses might be thrown in saying you dont have resource nor time, but when disaster come you will need time and resources, hence test the plan as if your life depends on it, because how you are going to respond.
Controls do not always work
You should be able to test your security control effectiveness and establish how much you rely on them and improvement to meet the stated business requirements.
With the coronavirus disaster, a lot of business have suffered or other are going under, like those in leisure and airline industries, and form other businesses they needed to reinvent on the way they work, engage their customers.
Move faster than the attack
We are in the war against the corona virus, while all the protocols have been followed to contain the virus to some extent, in the business world, the defense teams should be able to move fast to contain attacks in the same way in order to defend the businesses otherwise the attacker would have upper hands, and completely paralyse your businesses. Think like an attacker, so move faster than them.
It is 15th March 2020, the headlines everywhere I can help to notice how the corona virus (COVID-19) is causing havoc to human first and business second, or the other way around, depending on your take. Yes, the businesses have been hit hard, from the travel industries to cyber security consulting (seeing some well known consulting firms share prices drop by 20% in a couple of weeks time! The situation is getting worse.
While we know on the good day, AI gets the praise and the good promises that it will help the mankind, I was wondering, maybe many of you are, how has the AI so far helped to fight this soon to be called pandemic, is there any way that AI can come to rescue?