Information Security, Cyberwarfare, Security Guidelines.
Oct 26th, 2011
This year has seen an unprecedented number of highly visible cybersecurity events. Entire countries disappeared from internet during riots and revolts in North Africa, Egypt, Libya. Metropolitan underground e-mails and phones were obscured by the authorities in San Francisco to “protect us”.
Reportedly the hacker group Anonymous has now threatened to take down the New York Stock Exchange‘s computers in what we at Riskope would see as a “logical” development of the Men against Machines War we described in a recent posting in this blog.
A new report from the Georgia Tech Information Security Center warns that the trend will accelerate, and based on our own experience, they are not the only ones to believe so.
Several related studies we are performing are indeed pinpointing risks linked to search poisoning, Mobile Web-based attacks, more conventional hijacked computers (botnets) etc.
Although many believe common sense is the best defence, we are of the opinion that private, institutional and corporate clients should take things way more seriously. Thus, we happy yo see that some of our clairvoyant clients have asked us to perform holistic and full scope risk assessments on their informational systems, as they were feeling the pressure raising in this area.
Third-party review jobs on proposed Information Security, Information Risk Management, etc. Guidelines.
Today we have decided to publish a short post on a specific aspect of our work. Thus, we discuss third-party review jobs on proposed Information Security, Information Risk Management, etc. Guidelines.
But before going there, we’d like to point out that Information Security Guidelines and methodologies are indeed the subject of numerous web-based resources. Among those, for example:
- ANSSI (French), which leads to a qualitative, colour based obsolete risk assessment, or the
- US-CERT (American) “software”. This one apparently only works on Windows based systems. Sorry for all the other ones like Apple, Linux, Android! It guides its users to what we consider excessively “light, unfocused and very superficial” reporting.
Well, going back to our Third Party Review Report , which we censored to protect client confidentiality and is based on our client’s new proposed Information Security Guidelines, we raised the following general four major points:
- It is essential that all employees clearly understand the value of the Company’s Information. That goes together with their individual and collective responsibility to protect it. Awareness constitutes the first line of defence
- Riskope encourages our clients to “break-up the information silos”. In fact information Security should cover all activities and tasks, including selection, hiring, etc. of personnel, subcontractors and suppliers.
- Riskope encourages the compilation of several versions of Information Security/Risk Management Guidelines. These should address the needs of various layers of users. Finally,
- Guidelines should include formal and well structured reference to assessment and resulting protection from physical man-made or natural hazards. There should be a direct link to business continuity plans, resumption plans, backup capabilities etc.
In the third party review report you will find many more points, bearing on specific Information Security themes.
As you can hopefully “feel” from the reading, unbalanced or weak guidelines can give a wrong sense of security to their users. Even worse, they can actually totally miss their goal.
With our group of experts in Cyber Defence (CYD), Cybersecurity, Riskope can perform audits and penetration tests on your company’s systems. We can write well-balanced Security Guidelines, review and support your efforts.
Tagged with: attack, cyber, egypt, hacker, hacking, indignados, information security, libya, management, revolt, riots, risk, security, Wall Street, war, warfare
Category: Consequences, Crisis management, Hazard, Mitigations, Probabilities, Risk analysis, Risk management, Tolerance/Acceptability