Cybersecurity experts struggled Tuesday to answer lawmakers’ basic questions about the danger of a flaw in the open-source logging platform Apache Log4J that could plague computer network defenders for years to come.
The vulnerability was discovered in December, and the software’s widespread use led the FBI to tell victims in the immediate aftermath that it may not respond to them because of how large the pool of potential victims had grown.
After nearly two more months since its revelation, cybersecurity professionals said they were unable to answer senators’ questions about how the vulnerability may have been weaponized for years without detection and about the full picture of who was at-risk.
Potential victims reside in a range of industries including electric power, water, transportation, food, and manufacturing, according to the cybersecurity firm Dragos.
Member of the hacking group Red Hacker Alliance uses a website that monitors global cyberattacks at … [+] their office in Dongguan, China.
AFP via Getty Images
Many corporate boards have made significant progress about understanding the importance of cyber security to the competitive health and sustainability of the companies they oversee.
They’ve certainly gotten the message that cyber security is not just an IT issue.
And, within the portion of board meetings devoted to risk assessment, cyber security is almost always one of the top items on the agenda.
But most board directors have yet to move far enough along to become as effectively equipped as they should be to intelligently gauge the extent to which their firms’ management teams are at the top of their games in the war on corporate cyber-attacks.
Few board members engage C-suite executives in meaningful dialogue on the specific strategies they’re undertaking to reduce vulnerabilities to hacks and why particular approaches rather than others are being employed.
I know this firsthand: both from the corporate boards on which I serve and from the boards I advise on business growth and risk-mitigation strategy, especially boards of companies where international transactions are important to their lifeblood—hardly a unique characteristic of many firms in today’s global economic ecosystem in which all of us make decisions one way or another.
The bald fact is that many board members are intimidated to ask the members of their C-suite executive teams who are most centrally responsible for cyber security—traditionally Chief Information Officers (CIOs), but increasingly Chief Information Security Officers (CISOs)—all but the most general technical questions.
Even then, the issues that board directors raise with the C-suite almost always focus on the magnitude of the problem and the degree to which the CISOs believe they have existing threats contained.
And, for the CISOs, they tend to have an incentive to give briefings to their boards about cyber security in relatively dumbed-down language.
It’s been my experience that it is a rare CISO that discusses with his or her board…
https://spinsafe.com/wp-content/uploads/2022/01/0x0.jpg8001200SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2022-01-01 06:00:052022-01-01 06:00:0510 Questions Directors Should Discuss With C-Suites
In December 2020, a cybersecurity company alerted the world to a
major cyberattack against the U.S. software development company,
SolarWinds, through the company’s Orion software product
(“SolarWinds Attack”). The SolarWinds Attack went
undetected for months, as it has been reported that the hackers
accessed the source code for Orion as early as March
2020.1 Orion is widely used by companies to manage
information technology resources, and according to SolarWinds Form
8-K filed with the Securities and Exchange Commission, SolarWinds
had 33,000 customers that were using Orion as of December 14,
2020.
It is alleged that the SolarWinds Attack was one part of a
widespread, sophisticated cyber espionage campaign by Russian
Foreign Intelligence Service actors which focused on stealing
sensitive information held by U.S. government agencies and
companies that use Orion.2 The hack was perpetuated
through SolarWinds sending its customers routine system software
updates.3 SolarWinds unknowingly sent out software
updates to its customers that included the hacked code that allowed
the hackers to have access to customer’s information technology
and install malware that helped them to spy on SolarWinds’
customers, including private companies and government entities,
thereby exposing up to 18,000 of its customers to the
cyberattack.
The New York Department of Financial Services (“DFS”)
alerted DFS-regulated entities of the SolarWinds Attack on December
18, 2020 through the “Supply Chain Compromise
Alert.”4 The Supply Chain Compromise Alert included
guidance from the U.S. Department of Homeland Security’s
Cybersecurity and Infrastructure Security Agency, SolarWinds, and
other sources, and reminded the regulated entities of their
obligations under the New York Cybersecurity Regulation
(“Cybersecurity Regulation”), adopted in 2017, which
requires DFS-regulated entities, including New York banks,
insurance companies and producers and other financial services
firms, to develop a comprehensive cybersecurity program, implement
specific cybersecurity controls, assess cybersecurity risks posed
by third-party service providers, and notify the DFS of
“cybersecurity…
https://spinsafe.com/wp-content/uploads/2021/04/Mondaq_Share.jpg289552SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2021-11-05 06:00:072021-11-05 06:00:07New York Department Of Financial Services Questions Its Regulated Entities On Responses To And Lessons Learned From The SolarWinds Cyberattack – Technology
MOBILE, Ala. (WALA)- Last Friday’s shooting during the Vigor vs Williamson game once again raising questions about security procedures for high school games. You may remember security came under scrutiny in 2019 after a shooting during the Williamson vs Leflore game.
That’s when the school system bought metal detectors to be set up at the entrances to all Mobile County Public School football games. They also updated their security protocol. But something went wrong last Friday.
The Mobile County District Attorney’s Office says that both suspects in custody, and at least one other suspect they are still looking for left the game and returned some time after the metal detectors were removed.
The Mobile County Public School System says the metal detectors are normally taken down midway through the third quarter. At which time the gates are supposed to be secured and no one is allowed re-entry into the game.
The updated safety protocols that were announced after the 2019 shooting say “there will be a uniformed officer at both gates-the home and visitor gates- for the duration of the game until the game has ended and the stadium is cleared.”
Daeshen Smith
The Ladd-Peebles Stadium board ofdirectors said last night that the Mobile County Public School System more or less dictates security measures. But the school system says Ladd-Peebles Stadium is responsible for providing the uniformed officers and for making sure the gates are secured. The contract between the Mobile County Public School System and Ladd says “security personnel as the stadium general manager decides in his sole discretion shall be paid by the board and reimbursed by the tenant.”
https://spinsafe.com/wp-content/uploads/2021/10/616f4417ea60b.image_.jpg341609SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2021-10-19 21:00:052021-10-19 21:00:05Shooting at Ladd raises questions about security procedures | Mobile County Alabama News
