Insights

The New York Department of Financial Services announced a new cybersecurity regulation (23 NYCRR 500), on March 1st, 2017, due to the increase of consistency and sophistication of cyber attacks over recent years. In fairness, much of the requirements are “standard issue” in most compliance frameworks, lack of adherence to applicable New York businesses will result in fines.  Even with continual extensions, the deadline for compliance was set as February 15, 2018. Like other initiatives, such as DFARS and PTC, we are seeing entities struggle to meet the requirements. As an IT Professional or business in the financial industry, a whole new level of responsibility has been forced onto your shoulders, whether based in New York or in a company that operates within the State. For most Security Professionals, this will be “business as usual” as the majority of the requirements are clearly defined in NIST 800 documents.  In short,…

  “Never send a boy to do a woman’s job.” -Kate Libby, Hackers (1995) I like this line from the movie, because at the time, she is doing something that was considered at the time a “boy’s job.” Most women didn’t think about going into the Information Technology or Information Security industry in 1995. It was mostly thought to be the role of a guy who was anti-social and wanted to stay in the basement of the office building only to cast his shadow when a catastrophic failure had occurred. You didn’t hear about women taking on the job. We were the ones sitting behind the computers typing away, calling the IT guy when it didn’t work properly. We were using the very equipment that they were there to help repair, but we didn’t know what made it work or for that matter fail. That was a man’s job. Why?…

  Last week, a toolkit was released, that based solely on results from Shodan, would automatically engage vulnerable devices around the world with exploit code.  A short time ago, right after the release of MIRAI, a fellow team member had developed some code that would scour the Internet, find devices using default credentials and automatically reset them.  We had a long discussion about the legality of using such code. His modification of the MIRAI botnet would scan the Internet for devices using default credentials and reset those credentials or shut down the device, all together. Essentially, it's the loose interpretation of walking around a neighborhood, breaking into homes, for the sole purpose of locking the windows. In that context, it's absolutely illegal. In theory, the intentions were in the right place. So, should a tool like AutoSploit be illegal?  I'm not entirely certain.  What I am certain of, is this…

Continuing a topic that we've discussed, ad nauseam.  Dealing with attacks and threats in 2018 will be much of a continuation of 2017.  We can expect that need to address both the continual advancement and innovation of attackers ways to compromise devices and exfiltrate data, but also the need to cover the "basics" of network security. With the systemic and ongoing resource and skills deficiencies, this issue isn't likely to be resolved in the near term. In order to get ahead of the curve, we have to approach these problems from a more deliberate course and action. In short, it's now a requirement to understand that we can't secure, "all the things".  We have to focus on what truly matters, develop actionable and automated processes of getting to that data, and letting that which truly doesn't matter... slide. With the focus adjusted to what is actually attainable, the following skills and…