Tag Archive for: Questions

10 Questions Directors Should Discuss With C-Suites


Many corporate boards have made significant progress about understanding the importance of cyber security to the competitive health and sustainability of the companies they oversee.

They’ve certainly gotten the message that cyber security is not just an IT issue.

And, within the portion of board meetings devoted to risk assessment, cyber security is almost always one of the top items on the agenda.

But most board directors have yet to move far enough along to become as effectively equipped as they should be to intelligently gauge the extent to which their firms’ management teams are at the top of their games in the war on corporate cyber-attacks. 

Few board members engage C-suite executives in meaningful dialogue on the specific strategies they’re undertaking to reduce vulnerabilities to hacks and why particular approaches rather than others are being employed.

I know this firsthand: both from the corporate boards on which I serve and from the boards I advise on business growth and risk-mitigation strategy, especially boards of companies where international transactions are important to their lifeblood—hardly a unique characteristic of many firms in today’s global economic ecosystem in which all of us make decisions one way or another.

The bald fact is that many board members are intimidated to ask the members of their C-suite executive teams who are most centrally responsible for cyber security—traditionally Chief Information Officers (CIOs), but increasingly Chief Information Security Officers (CISOs)—all but the most general technical questions.

Even then, the issues that board directors raise with the C-suite almost always focus on the magnitude of the problem and the degree to which the CISOs believe they have existing threats contained.

And, for the CISOs, they tend to have an incentive to give briefings to their boards about cyber security in relatively dumbed-down language.

It’s been my experience that it is a rare CISO that discusses with his or her board…

Source…

New York Department Of Financial Services Questions Its Regulated Entities On Responses To And Lessons Learned From The SolarWinds Cyberattack – Technology


In December 2020, a cybersecurity company alerted the world to a
major cyberattack against the U.S. software development company,
SolarWinds, through the company’s Orion software product
(“SolarWinds Attack”). The SolarWinds Attack went
undetected for months, as it has been reported that the hackers
accessed the source code for Orion as early as March
2020.1 Orion is widely used by companies to manage
information technology resources, and according to SolarWinds Form
8-K filed with the Securities and Exchange Commission, SolarWinds
had 33,000 customers that were using Orion as of December 14,
2020.

It is alleged that the SolarWinds Attack was one part of a
widespread, sophisticated cyber espionage campaign by Russian
Foreign Intelligence Service actors which focused on stealing
sensitive information held by U.S. government agencies and
companies that use Orion.2 The hack was perpetuated
through SolarWinds sending its customers routine system software
updates.3 SolarWinds unknowingly sent out software
updates to its customers that included the hacked code that allowed
the hackers to have access to customer’s information technology
and install malware that helped them to spy on SolarWinds’
customers, including private companies and government entities,
thereby exposing up to 18,000 of its customers to the
cyberattack.

The New York Department of Financial Services (“DFS”)
alerted DFS-regulated entities of the SolarWinds Attack on December
18, 2020 through the “Supply Chain Compromise
Alert.”4 The Supply Chain Compromise Alert included
guidance from the U.S. Department of Homeland Security’s
Cybersecurity and Infrastructure Security Agency, SolarWinds, and
other sources, and reminded the regulated entities of their
obligations under the New York Cybersecurity Regulation
(“Cybersecurity Regulation”), adopted in 2017, which
requires DFS-regulated entities, including New York banks,
insurance companies and producers and other financial services
firms, to develop a comprehensive cybersecurity program, implement
specific cybersecurity controls, assess cybersecurity risks posed
by third-party service providers, and notify the DFS of
“cybersecurity…

Source…

Shooting at Ladd raises questions about security procedures | Mobile County Alabama News


MOBILE, Ala. (WALA)- Last Friday’s shooting during the Vigor vs Williamson game once again raising questions about security procedures for high school games. You may remember security came under scrutiny in 2019 after a shooting during the Williamson vs Leflore game.

That’s when the school system bought metal detectors to be set up at the entrances to all Mobile County Public School football games. They also updated their security protocol. But something went wrong last Friday.

The Mobile County District Attorney’s Office says that both suspects in custody, and at least one other suspect they are still looking for left the game and returned some time after the metal detectors were removed.

The Mobile County Public School System says the metal detectors are normally taken down midway through the third quarter. At which time the gates are supposed to be secured and no one is allowed re-entry into the game.

The updated safety protocols that were announced after the 2019 shooting say “there will be a uniformed officer at both gates-the home and visitor gates- for the duration of the game until the game has ended and the stadium is cleared.”



Shooting at Ladd



The Ladd-Peebles Stadium board ofdirectors said last night that the Mobile County Public School System more or less dictates security measures. But the school system says Ladd-Peebles Stadium is responsible for providing the uniformed officers and for making sure the gates are secured. The contract between the Mobile County Public School System and Ladd says “security personnel as the stadium general manager decides in his sole discretion shall be paid by the board and reimbursed by the tenant.”

Source…

Deliver Amazing: Top 10 Questions Every App Security RFP Should Answer


Cybercriminals are hot on the money trail—and the path is leading straight to unprotected mobile applications in the fintech and banking industries. According to Verizon’s Mobile Security Index 2020 Report, 39 percent of organizations surveyed experienced a security compromise involving a mobile security device in 2020, up from 33 percent in 2019 and 27 percent the previous year.

And it’s not just financial services at risk. Nearly all market sectors are witnessing a rise in cyber attacks, from ecommerce and telehealth to manufacturing and automotive. And applications are increasingly becoming the preferred threat gateway for hackers. Why the global surge? Nearly every organization today is an app company, whether they identify as one or not, because so many of today’s leading businesses are powered by apps. Combine that with the rising value of pilfered app data and we have a recipe for a crisis. Several cybersecurity researchers are quoted as saying that a single PHI record is 10 times more valuable on the dark web than a stolen credit card credential.

With traditional perimeter security ineffective in keeping mobile apps used outside the firewall safe, organizations are turning to solutions that protect the app, rather than the network. These app security solutions can be added to mobile apps to safeguard the data stored in mobile devices and to comply with consumer data privacy regulations, such as GDPR, NY Shield, or CCPA. They also prevent breached applications from becoming a vector to attack resources within the broader corporate infrastructure.

Why App Security Solutions Work

App security solutions work by precluding attackers from reverse engineering mobile apps to find vulnerabilities in the code and exploit them to steal data or access the wider corporate network. They provide protection at three levels:

Code obfuscation prevents static analysis of how the code is structured. 

Environmental checks ensure code is running within a secure and trustworthy environment, blocking attempts to dynamically analyze the way the code operates.

Anti-tamper technology prevents attackers from modifying code within the app to perform malicious activities.

While app security…

Source…