CISO Holiday Bookshelf

I tweeted this article out yesterday, but wanted to go ahead and add a few comments.  I have personally read a few of these books and many of the others are on my reading list.  I am a particular fan of “The Phoenix Project” for anyone who has worked in an IT shop, specifically one in Retail.  I started seeing co-workers on every page.  Gene Kim and team did an excellent job capturing the realities and hopes of DevOps.

I also just finished “SpamNation”.  Kudos to Brian Krebs for all of his efforts to make all of us safer from criminals and spambots the world over.  I also want to complement the Epilogue.  Mr. Krebs took the time to provide some very sound advice to his readers.

Patch management could save you big bucks… and a fine

This is a great read for anyone debating the cost benefit analysis around holistic security and the demands of compliance specific standards like HIPAA and PCI.  It only takes one breach to bring security efforts and their costs into focus.

EU to demand 2-factor for online payments by August 2015?

This type of regulation is an excited and necessary next step to try and curb the fraud surrounding online transactions.  That said for those of us in the United States, we should not get too terribly excited as regulatory changes in Europe seem to take several additional years before they trickle down to us and US industry generally.  However, a move to stronger and more consistent 2-factor authentication in the EU will mean better optional implementations in the US.

Korean Nuclear Power Plant Plans Cyber Attack Drills In Wake of Hacker Threats

I have very happy to see this level of preparedness on the part of energy officials in South Korea.  Threats to critical infrastructure are certainly real and in some cases more eminent than we care to admit.  All nation states should have tested and realistic plans to deal with these type of threats.  Such a practice is not reactionary or alarmist, but instead prudent and pragmatic.

Sony & North Korea: A Call to Cyber Arms or Better Defense?

For the record, I vote for “better defense”.  Much of the IT security community agrees that these attacks against Sony were probably not directly engineered by players in North Korea.  That said, retaliation gets us no closer to a solution.  As I wrote yesterday, this is not a tit for tat situation.  The US must manage this at a much larger and more practical level.  A best first step would be the strengthening of this country’s cyber defense stance followed by a mechanism to encourage the same in all significant business and economic sectors.

My Thoughts – Sony pulls ‘The Interview’ after 9/11 terror threat

This is just one link to one of dozens of articles concerning the Sony breach and the subsequent pulling of “The Interview” from movie theaters around the country.  I like many of you am both angered and frustrated at this entire situation, from Sony’s response to the conjecture of retaliatory attacks by the US government against North Korea.

First and foremost, this entire situation is an example of cyber-bullying targeted at the US Constitution and its freedom of expression as well as the very nature of capitalism in a free market society.  Every American should be outraged that the acts of one nation state could influence what appears at an American theater.  It really is that simple.  Corporate America is bowing to the whim of a violent dictator.  We are setting a very dangerous precedent by allowing this to happen.

Secondly, Sony is clearly not guiltless in this situation either.  Like most instances of bullying, Sony was not prepared for conflict.  They found themselves cornered on the playground with their IT pants pulled down around their ankles due to a complete and utter disregard for proper cyber defenses.  Other corporations desperately need to take notice and prepare themselves.  There are plenty of bullies on the playground of our world’s economic stage and the environment is ripe for a wave of similar extortion attempts and cyber attacks.

Finally, retaliation in the forms being bantered around via public media outlets is not the answer.  There are no real value-added cyber targets in North Korea and the attack itself was clearly outsourced to players located in other locations throughout the world.  Retaliation and retribution need to come in the form of real world controls.  This is not a tit for tat situation.  At the end of the day, the American infrastructure is under attack, either physically or economically, and that kind of threat should be handled in a serious manner and at the highest levels of government.  As citizens, we have a right and responsibility to demand this of our elected officials.  Do not be lulled into thinking this is just about a silly movie and the bruised egos of the Hollywood elite.