© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
Government   manages   by   landmine,   as   do   many   private   sector   businesses   -   I   don't   think   anyone   would   disagree. Government   cannot   be   convinced   to   act   proactively    in   the   face   of   a   perceived   threat   -   the   impact   must   be   actually felt     before    legislative    or    board    action    is    taken.    Predictions    of    lost    business,    brand    damage,    fines,    or    increased regulatory   oversight   fail   to   move   the   needle   -   although   recent   class   action   suits   and   accusations   of   executive   gross negligence seem to have some pucker power. Policy,   or   the   set   of   rules   under   which   we   are   either   mandated   to,   or   agree   to   operate   can   be   a   powerful   security   tool   - especially   with   a   technical   enforcement   mechanism,   and   we're   coming   up   on   the   time   when   policies   are   needing   a hard look for what they can achieve. Way   back   when   I   was   CISO   of   a   US   City   known   for   its   tech   business,   we   collected   metrics   used   to   demonstrate   that 40%   of   the   compromised   assets   in   the   organization   were   due   to   the   use   of   personal   e-mail.   40%!   After   spending   all   the money   to   ensure   that   Outlook   was   free   of   bad   attachments,   links,   and   spam   -   users   could   have   a   web   browser   open to   their   ISP   email   account,   happily   going   through   all   the   clickbait   they've   attracted   through   online   activities.   So   how effective   was   it   to   spend   all   that   money?   Further,   it's   reported   that   91%   of   "hacks"   start   with   phishing    to   obtain credentials for easy entry, and social media exposures  make the creation of compelling bait that much easier. So   follow   the   logic   here:   attacks   start   with   phishing   for   credentials,   social   media   sites   are   rich   sources   of   targeting information,   and   personal   e-mail   use   is   a   significant   attack   vector.   Therefore,   disallow   personal   use,   and   a   lot   of   the problem   goes   right   off   a   cliff!   Through   a   policy   change!   If   personal   use   was   constrained   to   personal   devices,   you   will have raised the cost for threat actors to gain entry. Everyone   understands   that   the   Internet   is   a   useful   tool   for   research,   marketing,   outreach   and   customer   engagement. But   those   activities   are   different   from   the   entertainment   aspects   of   social   media,   personal   communication,   and   just "surfing"   -   so   technical   enforcement   of   the   policy   would   be   nontrivial.   However,   a   stated   policy,   combined   with   the occasional   public   hanging   for   noncompliance   would   be   a   powerful   demonstration   of   commitment.   The   time   is   coming to separate the church of Facebook from the state of business and government operations.
Threat Intelligence Blog CRITICAL INFORMATICS INC.
(206) 687-9100
Separating the Church of Personal Use from the State of Authorized Activity   1/18/2017 By Michael Hamilton CISSP CEO
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100