Informazioni personali

Cerca nel blog

Translate

martedì 8 settembre 2015

Time for enterprises to think about security, seriously

English: A map of Europe divided into countrie...
English: A map of Europe divided into countries; where EU member states are further divided by NUTS level 3 areas. The NUTS 3 areas are shaded green according to their GDP per capita in 2007 at current market prices in euros; darker green denotes higher GDP per capita and lighter green, lower GDP per capita. (Photo credit: Wikipedia)

View image | gettyimages.com

UE directive on Attack against information systems  give us no more excuse to deal seriously,

Under the new rules, illegal access, system interference or interception constitute criminal offence across the EU. But while the legislator is working to create tools to address cybercrime as a Whole system problem, that is affecting EU economy, what are enterprise doing on this side?

The problem is that if enterprises does not align their cyber security defence to the correct approach every legislation will be useless, because the target will be always too easy.

Makes absolutely no sense to start a security system while internally you use Explorer 8 and Windows 7 as default OS. make absolutely no sense to rely on firewall and ipsids inside without implementing a correct siem infrastructure.

Make absolutely no sense to try to keep Intellectual property if we do not add a correct dlp system, that means to have also categorization and processes.

Make absolutely no sense to beg for security if our Windows environment is poorly designed,

It is time to change our security approach from an annoying task to a foundation of our systems. we do not discuss the need of a CFO and risk analysis related to finance why it is so hard to make the same on information and cyber security (let me add also privacy)?

CSO role, and DPO ones, should be at the heart of every  board as the CFO, the HR and the other company roles.

Alas CSO and DPO need a high level of Independence, since their roles itself need to be a source of control and guidance for the entire company (no more no less than a CFO). And both the roles are not “IT geek guys stuff” since require specific knowledge, that goes beyond the IT implementation.

Alas if architectural roles are still a minority in the IT world, we can imagine how hard could be to find those other figures that requires the ability to see the security inside the business and deal with a wide range of interfaces not necessarily technical.

This is a wide problem that cover all sectors of the industries. there is no more area that can be safe from IT implications. The Jeep cars hack is just an example another example of how serious is the question.

a correct cyber and information security approach should take in account:

  1. how we protect ourself from the external threats
  2. how we implement internally a secure aware process to deal with the valuable information we process
  3. how we implement a secure aware production process
  4. how we contribute to the progress of the cyber and information safety in our environment and ecosystem.

does not matter who we are or what we do those 4 points can’t be avoided anymore.

and can’t be managed as a geek itch to be scratched.

  1. how we protect ourself from the external threats

Point one is historically the first implemented, but also one of the worst nightmare.

Security is usually seen as a series of Patches to be put on system after the design. and usually this is done putting a “firewall” or a “next generation firewall” or some other marketing driven Technologies, not considering that any insertion is useless if not seen into a serious context and design.

And the design start with the simplest questions:

  • what I want to do with my IT?
  • what is the value of IT for my business?
  • what is the implication of the IT process in our process?

Budget and design should follow accordingly to that.

but design can’t avoid simply facts as:

Things need to be patched and upgraded to maintain a minimum baseline of efficiency and security

process should be design accordingly to the technology, the people and the business

if you don’t do this you keep having people surprised by the End of Support of the old Windows versions and using Windows Explorer 8 browsers just for “compatibility issues”.

If you do this  to proof you do not understand anything about IT, you did a good job otherwise, well we have a problem.

2. how we implement internally a secure aware process to deal with the valuable information we process

We can implement whatever we want, but if we do not have a clear picture of what we are going to protect and why, all the design is useless.

I wrote in the past how hard is to understand what is and where is the value in our data. Still so many people does not consider that most of the Intellectual Property of our company is in our email servers or pst files, or that names, addresses and emails have a value for the criminal cyberworld even if we do not value it…

Internal processes are usually bad designed because they do not keep into account what need to be protected, :

  • resources
  • people
  • training
  • controls
  • metrics

And of course the most important request of all, KISS implementation (Keep It Simple Stupid).

having more than 1000 processes in place is not a good thing, is a nightmare.

3. how we implement a secure aware production process

No matter if we write code, make hardware or make paperwork, how secure is our work? how can be be sure the component we are using do what we want and have not be tampered? if we write code how we can be sure we write good, secure code? if we do cars how can we be sure that our entertainment system could not allow to take control of the car’s brakes?

it all the same, we need to implement security in our production process, this means being able to set up controls and metrics (again) that span all the production line, and involve also who provide us services or parts.

is our financial broker a secure interface? can we trust those derivates? can i trust this code?… is all about security.

if we delivery anything to anyone, HW, SW, Service of any kind we have a production system that need to be secured. sometimes the law help us putting references, sometimes is our job to create those references.

but if can’t provide a trustworthy production system why the customer should trust us?

it is not only IT, it is security, IT is just a part of the equation.

4. how we contribute to the progress of the cyber and information safety in our environment and ecosystem.

And we can’t be secure in an insecure world, we are all player of an interconnected world. we can’t think of security in the finance systems without the collaboration of all players (banks, governments, regulators bodies), the same should be for IT. But we are years behind, so it is time we take our part of responsibility and start collaborating to make the environment safer.

Kicking out the bad thing is a long, never ending process that require a lot of effort from everyone, all the players should be in charge of a part of the responsibility. if we are not cure we lower the overall security, so if a car can be hacked it is a danger for all the other cars on the streets, the same if enterprise do not keep this thing seriously they are a danger for all the rest.

collaborating, exchanging ideas, listening and Learning, there are a lot of different ways to do so.

Activities like the ENISA EU cyber security months that will be held in October are a great moment to think about security and related issues

just watch at the weeks arguments:

  • Week 1Cyber Security Training for Employees
  • Week 2Creating a Culture of Cyber Security at Work
  • Week 3Code Week for All
  • Week 4Understanding Cloud Solutions for All
  • Week 5Digital Single Market for All

this is what I am talking about. I strongly suggest that you all participate as citizens, companies, public entity. there is much to learn much to do, it’s time.

cheers

sent by Microsoft Edge

 

 

 

Nessun commento:

Posta un commento