The Security vs Customer Experience Dilemma – What Comes First in Software Design?

CybeRiskBlog, Cybersecurity

Security and Customer Experience

The digital economy of information exchange, electronic transactions, targeted content, and real-time communications is a customer-centric ecosystem in which satisfying the consumer is a dynamic process, capable of making or breaking the success of a commercial enterprise. Self-service, rapid fulfillment, and ease of access are paramount to the customer experience (CX) – but the mechanisms required to make these services work may expose corporate networks to unmanageable traffic loads, and put a strain on enterprise resources at any number of levels. Security is a consideration which must be factored into the delivery of goods and services in the consumer-centered economy. In the design of websites, eCommerce portals, self-service hubs, and other online presence points, business owners must face the dilemma … Read More

Securing Mail Relay is a Priority For Any Enterprise Security Program

CybeRiskBlog, Cybersecurity

Securing Mail Relay

Despite advances in telecommunications which have made real-time exchange media like video chat and Instant Messaging available, email remains one of the principal methods of establishing and maintaining personal and business contact. Individual and corporate identities and reputations may hinge on the way in which email communications are perceived by their recipients – in terms of content, etiquette, and relevance. Because of their central role in corporate affairs – and because of their potential to reach multiple potential victims – mail servers are often targeted by cyber-criminals and saboteurs. So securing mail servers and securing mail relay should be a priority consideration in any enterprise security program. Securing Mail Relay – The Menace of Spam Besides its capacity to annoy … Read More

Penetration Testing – The Connection Between Pen-Testers and Lockpicking

CybeRiskBlog, Cybersecurity

penetration testing

In an environment where innovation and collaboration are as much a part of the cyber-criminal ecosystem as they are a part of the tool-kit of the security professionals who must manage it, there’s a need for rapid response, real-time interventions, and awareness of the real-world applications and threat vectors used by today’s cyber-criminals. This is why some form of stress or penetration testing is a necessary factor in enabling organizations to maintain a robust security posture. Traditionally, pen-testers have had to think and act like hackers in order to fulfill their remit – and it’s no coincidence that many in the profession have a background which takes in at least some aspects of the darker side of Information Technology. With … Read More

The Chief Information Security Officer – What Role Does the CISO Play Today?

CybeRiskBlog, Cybersecurity

Chief Information Security Officer

With a job title as varied as the organizations which define it – chief security officer (CSO), security manager, chief security architect, information security manager, or corporate security officer, to name a few – today’s Chief Information Security Officer (CISO) is also increasingly called upon to wear an alternating series of hats, in negotiating the intricate web of enterprise security and corporate hierarchy. While overseeing the policies, tools, and practices that safeguard enterprise cyber-security, the CISO is simultaneously required to speak the language and enact the practices of the business arena. So anyone occupying this position must tread a wary and complex path, in order to fulfill their remit. As so much hinges on a successful tenure for the CISO … Read More

Financial Sector Cybersecurity – Does Regulatory Compliance mean we are secure?

CybeRiskBlog, Cybersecurity

financial sector cybersecurity

Simply in terms of good business practice, banks and other institutions in the financial sector have an obligation to safeguard the privacy and information of their customers, protect their assets, and provide restitution in cases where it’s justified. But throughout the world, these obligations are also enshrined in law and enforced through various sets of legal and procedural guidelines, criteria and specifications for regulatory compliance, and fines or penalties for deviating from any of these. The laws and compliance regimes for financial sector cybersecurity may be in place – and financial institutions may be taking steps to meet all of the conditions they lay down – but it’s open to debate whether simply adhering to the demands of regulatory compliance … Read More

Blockchain and Virtual Currency – Origins of the Cryptocurrency “Boom” and Some Murky Realities

CybeRiskBlog, Cybersecurity

Blockchain

Attention – both positive and negative – continues to be drawn to the emerging blockchain technology, and its potential to disrupt and transform the way we do business, and the ways in which cyber-security may be enforced and deployed. Much of the negative attention has been focused on the blockchain’s application in financial circles – most especially in the proliferation of so-called virtual or “cryptocurrencies” being traded outside the jurisdiction of traditional regulatory frameworks. As recently as last week, federal authorities in the United States shut down the operations of one of the highest ranking virtual currency traders (the Bitcoin platform BTC-e), in a move that highlights the need for greater oversight and governance in at least some aspects of … Read More

SCADA – Supervisory Control and Data Acquisition Networks

CybeRiskBlog, Cybersecurity

Scada

Physical controls and operations within the facilities housing elements of our most critical infrastructure – industrial manufacturing, power generation and distribution, oil and chemical refining, and large-scale telecommunications systems, to name a few – rely on some form of Supervisory Control And Data Acquisition Network (or SCADA network), and/or Industrial Control Systems (ICS). SCADA networks are at the heart of our most essential services, with lives and livelihoods depending on their trouble-free and continuous operation. The consequences of a major compromise to these networks could be catastrophic – and if any SCADA resources were to be held to ransom (now that there are the malware tools available for doing this), authorities might be tempted to pay any price, to get … Read More

Shadow Admins – Hidden or Forgotten “Super Users” that Undermine Network Security

CybeRiskBlog, Cybersecurity

Shadow Admins

The busy work of network management often requires administrators to make on-the-fly decisions to facilitate access and streamline ongoing business operations. Among these measures may be temporarily elevating the access rights of specific users without recording these changes in the Active Directory (AD) of an organization – on the understanding/assumption that these elevated rights will be downgraded once the conditions demanding them have been met. But with human nature being what it is (and network administrators being as human as anyone else), decisions like this may be forgotten in the rush to address the next crisis or challenge facing the enterprise – potentially leaving a population of undocumented network users with privileges and access rights beyond their officially recorded status. … Read More

Red Team – Pros and Cons of In-House vs Outsourced Penetration Testing

CybeRiskBlog, Cybersecurity

red team penetration testing

There’s a growing consensus in some circles that a cyber security strategy based solely on hardware, software, and policy-setting simply isn’t enough to ensure the safety and integrity of enterprise data and networks. This school of thought holds that, for a fully comprehensive security stance to be maintained, enterprise resources, infrastructure, and personnel have to be tested under fire – so as to gain experience of the actual conditions surrounding a cyber-attack or security breach, and to establish the state of weakness or readiness of enterprise defenses as a whole. Penetration testing is the necessary element which must be added to the cyber security mix. But there’s still some debate as to whether the “red teams” conducting these exercises should … Read More

Pros and Cons of “SOC” (SOC as a Service) or “MSS” (Managed Security Services)

CybeRiskBlog, Cybersecurity

SOC as a Service

For some years now, enterprises looking to reduce the strain on their financial, human, and other resources have been looking to external suppliers to flesh out their organizational portfolios – in the form of cloud-based infrastructure, applications, and services, or the outsourcing of essential functions to qualified third parties. Enterprise security has not been exempt from this trend, and with the evolution of the outsourcing market has come the packaging of almost every aspect of IT as a subscription-based or on-demand commodity. Service offerings from third parties give enterprises the opportunity to gain from state-of-the-art technologies and the expertise of seasoned security professionals, while avoiding the significant capital outlays, recurring and maintenance costs, and management complexity of having to do … Read More