Deke George, a co-founder of NetSPI, is a business-oriented IT executive. He has significant entrepreneurial experience as both a member and founder of multiple startups. He began his career as a founder of the computer forensics program at Ontrack (now Kroll-Ontrack). In this capacity, he has worked on high-profile computer fraud and computer evidence cases in the United States and abroad. As an entrepreneur with a focus on creating client-oriented solutions, Deke has been involved in a variety of roles including consultant, sales, and leadership for a number of technology-based organizations. Deke holds a B.A. in Physics from Middlebury College in Vermont.
What cyber security measures should today’s CISOs be taking that are actually helpful in stopping hackers? What strategic areas are worth focusing on and spending money on? And… what’s not working? What programs have CISOs implemented that aren’t returning a good value?
In this webinar, we’ll discuss the building blocks of great security programs from governance, automation, implementation models, and more. We won’t be talking about products and technology solutions you should buy. We’ll be offering practical advice about what you need to focus on to protect your systems.
Key Takeaways
Building blocks of a great security program
What’s working to identify and counter hacking
What are leading organizations doing within programmatic testing
How to build a strong team and governance within your team
Core areas that every security organization should be focusing on
[post_title] => From Governance to Implementation to Results
[post_excerpt] => In this webinar, we’ll discuss the building blocks of great security programs from governance, automation, implementation models, and more.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => from-governance-to-implementation-to-results
[to_ping] =>
[pinged] =>
[post_modified] => 2023-09-01 07:10:58
[post_modified_gmt] => 2023-09-01 12:10:58
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=webinars&p=19143
[menu_order] => 73
[post_type] => webinars
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[1] => WP_Post Object
(
[ID] => 1235
[post_author] => 6
[post_date] => 2011-08-10 07:00:03
[post_date_gmt] => 2011-08-10 07:00:03
[post_content] => There were a number of very good presentations this year and the after-hours parties were great, but from a security industry standpoint, Black Hat 2011 seemed like it had less energy this year. Some of that might have been because it got so much airplay on commercial media and NPR before and during the event, but even with many, many more people, there just wasn't as much excitement as in the past. It's long been clear that the US Government is interested in the space and is spending massive amounts of money on information security and new security technology. It's also apparent that many organizations are waking up to the fact that they need to develop effective information security programs. Recent discussions with clients are generally about how much more budget they will have in 2012 than this year. These are good things and you'd think they'd lead to significant private investment and more innovation that might show up at Black Hat. However, while Black Hat (and DEF CON for that matter) is supposed to be vendor neutral, you would expect organizations to emerge as industry leaders or at a minimum to show overall industry thought leadership. Other than the US Government and its speakers (in particular Mudge), there wasn't much commentary on the state of the industry and bigger picture issues. I realize that some of the lack of corporate thought leadership (and momentum) is intentional - Jeff Moss referenced getting back to vendor neutrality in one of the keynote intros and I do understand that Black Hat is more about security research and technology. Nevertheless, in past years, there was at least some industry excitement surrounding new concepts and industry related acquisitions such as IBM buying Ounce and AppScan, or HP buying WebInspect and Fortify. Even the spinoff (and eventual Dell acquisition) of SecureWorks created buzz at Black Hat in the past. There was really no "buzz" and no real unifying industry vision at this year's event - which ultimately is important as we mature as a vertical. As has happened before with the security industry, roll-ups and investment seem to be bungled. Like the first major round of roll-ups (where Symantec, McAfee, and VeriSign were the acquirers), the latest generation of security rollups appear to be flailing. IBM has struggled to consume ISS and its other recently acquired security product lines. HP appears to be in a similar boat. RSA looked like it might be starting something, but, well they won a pwnie this year... Don't get me wrong, I enjoyed many of the presentations - Moxie Marlinspike was great, Nelson Elhage's preso on breaking KVM was interesting, and I always enjoy the Securosis crew. Additionally, the overall focus on mobile security, IOS and Android was good. And the open discussion about advanced persistent threat (APT) and what actually is going on with foreign governments (like China) was refreshing - Alex Stamos gave a good 10 minute overview of APT within his presentation comparing Windows and Apple security. However, you know the industry is having issues when one of the main industry related discussions is about Trustwave trying to go public (which we've been hearing for 18 months) and the biggest booth at the show is occupied by a pwnie award winner, RSA (one of the reasons for increased budgets next year). I'm not sure that this will change soon, and, in fact, not having large major players benefits boutique firms like NetSPI, however, with all of the government money and the increased information security budgets, it's inevitable that we'll see more investment, new ideas, and new leaders emerge - maybe next year.
[post_title] => Reflections on Black Hat 2011
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => reflections-on-black-hat-2011
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:05:53
[post_modified_gmt] => 2021-04-13 00:05:53
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1235
[menu_order] => 834
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[2] => WP_Post Object
(
[ID] => 1239
[post_author] => 6
[post_date] => 2011-07-20 07:00:03
[post_date_gmt] => 2011-07-20 07:00:03
[post_content] => For the past five years it seems like almost everything in information security has focused on application security and, for the NetSPI consulting practices, our application security business (app pen testing, code review, etc.) has significantly increased. In that time, we have seen areas like network and systems vulnerability assessments change due to the commoditization of those services. Qualys, nCircle, and Rapid7 have all created a less expensive way to do a fairly simple scan of networks and systems that provide some level of comfort that networks and systems are secure. Today it's pretty common to hear people say "we've got the network covered; now we're really interested in pursuing our application security." In 2006 I remember Charlie Johnson, head of the consulting practice at Symantec, talking about apps being the only thing that mattered and that he was thinking of committing the Symantec consulting team to secure application development. He may have just been thinking out loud, but securing applications has become the focus of many IT security groups almost to the exclusion of focusing on risk to the organization. Don't get me wrong, application security is a huge problem and it will remain a problem for many years. However, there are many other areas of risk (perhaps greater risk) that cannot be ignored. At the technical level, system security for off-the-shelf software is a persistent problem. Organizations still struggle to patch quickly and there are often systems with exceptions to the patching process that weaken an organization's domain and system security. While patching is still an issue, the biggest vulnerabilities are found within network and system configurations. In most (90-95%) of our pen tests we find weak configurations that lead to the complete compromise of an environment. In addition, in many organizations, database groups are silo'd off and don't get the security attention that they need. Because of this, we find an excessive level of insecure configurations, embedded passwords, and inappropriate trust relationships that can lead to compromise. With all of these technical vulnerabilities, it's amazing that an even wider security hole can be found within the physical operations, business process, and personnel at organizations. This is still usually the easiest way to break into an organization. Often it's combined with technical exploits, but social engineering provides an almost failsafe way to get information and access within technology environments. I don't think we should reduce our focus on application security - there's a lot to do there and it will take many years to secure this aspect of IT within organizations. However, I think it's incredibly important not to lose sight of what constitutes risk. If you really want to understand and reduce IT related risk, you've got to look comprehensively at risk within all aspects of your IT environment - process, physical, network, systems, database, and applications. Because while you may not be looking at these things, it's certain that at some point, someone looking for the easiest way in will be looking at exploiting these weaknesses.
[post_title] => The value of multi-layer / comprehensive pen testing
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => the-value-of-multi-layer-comprehensive-pen-testing
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:05:56
[post_modified_gmt] => 2021-04-13 00:05:56
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1239
[menu_order] => 839
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[3] => WP_Post Object
(
[ID] => 1246
[post_author] => 6
[post_date] => 2011-05-20 07:00:03
[post_date_gmt] => 2011-05-20 07:00:03
[post_content] => We celebrated NetSPI’s 10 year anniversary last month. It’s amazing that it has been that long. The anniversary has led me to reflect on NetSPI’s history and on the security industry’s history (at least since I’ve been involved – so, from around 1995). Being on the forensics team at Ontrack in the mid 1990's, we saw a significant number of criminal and security related incidents. It truly was the Wild West, with companies moving to Windows 95/NT3.51 before they had a clue about stabilizing them, let alone securing them. Many people didn’t understand that email lived beyond what you saw on your screen (let alone that files lived on forever on various hard drives). At that time, very few people in corporate America (including those in IT) had any idea about what was going on within their IT environments. In many organizations, the CFO ran IT and no one else at the C-level wanted anything to do with it. Security wasn’t even a joke for most companies - it was a non-issue, and at Ontrack we got to see that first hand. That NetSPI started around 9/11 is an unfortunate but good reference point. It was ironic that an event that should’ve heightened corporate America’s focus actually led to decreased attention and reduced budgets for information security. In 2001 almost everyone that I met discussed what a great industry information security must be due to the focus created by 9/11. Nothing could have been further from the truth. Companies were cutting spending dramatically. This wasn’t necessarily the case in the Northeast (because of the proximity of 9/11), but it was around the rest of the country. IT security was an abstraction unrelated to corporate operations. From 2001 through 2005 or so, there was lots of commiseration surrounding the lack of traction that information security was attaining. The “I’m beating my head against a wall” feeling was pretty strong for those in IT security, at least everywhere but in very large financial institutions. There was always hope that one day people would start to care. In fact, in many conversations there was an underlying sentiment that “the C-level isn’t giving me what I need and some day they’ll pay.” It felt like that someday was probably decades away, but everyone hoped that non-IT and executive management would start to get it. It’s hard to believe, but I think that day – the upper management getting it day - has come. Just look at Sony. Because they’re a Japanese company there are some cultural issues that have played into holding the person at the top accountable. It is amazing that there has been discussion about his accountability and the future of his job. It didn’t start entirely with Sony, things have been changing for a while. Events like the RSA breach were a wake-up call and because Art Coviello, RSA's President, responded, I think we’re seeing a sea change in attitudes and accountability with regards to information security. While the responses and/or the programs are not entirely what many in our industry would consider adequate, we’re seeing C-level responses and there appears to be action behind their words. At least let’s hope.
[post_title] => Thoughts on NetSPIs 10-year anniversary
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => thoughts-on-netspis-10-year-anniversary
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:15
[post_modified_gmt] => 2021-04-13 00:06:15
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1246
[menu_order] => 847
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[4] => WP_Post Object
(
[ID] => 1251
[post_author] => 6
[post_date] => 2011-03-02 07:00:03
[post_date_gmt] => 2011-03-02 07:00:03
[post_content] => There was a great quote in a recent Ponemon study sponsored by Cenzic and Barracuda: "Most organizations have been hacked, yet 88 percent still spend more on coffee than on app security." Combined with the recent revelation that oil companies and components of our national infrastructure have been compromised (see McAfee's Global Energy Cyberattacks: "Night Dragon" for more information), this should be cause for significant alarm. Aside from funny quips like the one above, there are massive tangible costs associated with the recent breaches. One of the most shocking losses is the cost associated with US fighter jet technology. It's estimated that China "saved" over $20 billion in the development of its latest stealth fighter. Although not publicly discussed, it's commonly acknowledged that China's advances were due in large part to lapses in US information security. What's scary are the breaches that we are hearing about are occurring at organizations that spend significantly more than average on information security. While each has its issues, the military spends massive amounts on information security and large oil companies tend to allocate security significant budget dollars. In addition, the breaches at the oil companies were fairly simple: break in through externally available web applications and step through to confidential information and critical processes. Most of the attacks in the McAfee report were based on existing and commonly used tools. If highly profitable companies that spend significant amounts of money on information security are being breached, it shows how massive the problem is that we are facing and how difficult it will be for smaller less profitable organizations to confront. In the past, when I spoke to what might be considered an ordinary mid-sized business (one that didn't think it had significant security needs) like manufacturing or healthcare, the response was often "who would want to break into our environment." Unbelievably, these comments can still be heard within the IT groups of Fortune 500 companies; however, with breaches at organizations like Minneapolis' Valspar (a Fortune 500 paint manufacturer which had its paint formulas stolen) corporate boards are beginning to understand the risk related to information security within IT and this is one of the keys to addressing the problem. Corporate boards need to wake up to the massive problem, fund information security, and demand more information about their organization's posture on a regular basis. Since boards are usually not made up of IT or security experts, it's the responsibility of Information Risk, Security, Audit, and IT to provide them with tangible information about security and risk posture. While boards could ask for the coffee vs. security budget ratio, there are better ways to look at this and budget for this. However, making the point to a non-IT oriented board takes tangible events and understandable facts. As the recent reports and news articles show, the events are happening. It's up to boards, executive management, IT and information security to understand the facts and plan / fund appropriately.
[post_title] => Counseling the Corporate Board
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => counseling-the-corporate-board
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:03
[post_modified_gmt] => 2021-04-13 00:06:03
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1251
[menu_order] => 852
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[5] => WP_Post Object
(
[ID] => 1274
[post_author] => 6
[post_date] => 2010-06-14 07:00:03
[post_date_gmt] => 2010-06-14 07:00:03
[post_content] => I like to watch industries evolve in how they deal with information security. It was interesting to watch retail evolve as PCI got more organized. The PCI Council put together the DSS with dates and penalties for breaches and non-compliance, and that drove significant change. It appears that a similar major change within healthcare is starting to take place. We have begun to see a proactive shift that incorporates compliance with HIPAA, an understanding of risk, and the development of security programs. As I've discussed in the past, the healthcare industry is significantly behind in dealing with IT-related risk. For an industry to change its approach to information security / risk, its culture needs to evolve. In my opinion, risk is the most effective driver of this change. If the risk is great enough, industries develop a mature understanding of risk management (of which security is a subset). The military and banking have tangible risks tied directly to their IT assets; therefore, they understand risk. The problem is that this mature understanding of risk doesn't exist in most other industries. Without risk driving a security program, industries must rely on other drivers - usually compliance (also a subset of risk). What we're seeing within healthcare is that PCI is driving the maturation of risk. For example, one key issue that keeps coming up, especially in hospitals, is the belief that PHI is more important than PCI / credit card information. Yet it is PCI compliance that has forced organizations to think systematically about risk. How do you reconcile the budget for PCI compliance with the lack of budget for PHI-related security? In addition, PCI has forced multiple groups (including IT, security, audit, and finance) to work together to deal with compliance and, ultimately, information security issues. Many of these same groups are now being asked to deal with HITECH / ARRA / updated HIPAA. With the new interpretations of HIPAA, the new regulations, and with these new sets of eyes, these groups are beginning to understand that they are not compliant with HIPAA, that they have significant risk exposure, and that they need to develop programs to deal with this exposure. From what we are seeing with many of our healthcare clients, the combination of a more pervasive awareness of PCI and new healthcare-specific regulations are creating a more mature understanding of risk and driving a new focus on developing successful information security programs. Let's hope this trend continues.
[post_title] => Is PCI driving the development of information security within healthcare?
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => is-pci-driving-the-development-of-information-security-within-healthcare
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:07
[post_modified_gmt] => 2021-04-13 00:06:07
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1274
[menu_order] => 871
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[6] => WP_Post Object
(
[ID] => 1275
[post_author] => 6
[post_date] => 2010-05-21 07:00:03
[post_date_gmt] => 2010-05-21 07:00:03
[post_content] => We held the Secure360 conference in the Twin Cities last week. Presentation topics included PCI, cloud computing, and problems within the security industry. While it can get tiring discussing the industry's problems, I like trying to understand the difficult nature of information security and enjoy the challenge of trying to overcome the obstacles related to rationally dealing with risk. On this topic, Rich Mogull had a very good presentation, "Putting the Fun in Dysfunctional," about the inherent problems with information security. I appreciate insights from someone with both an IT and a physical security background and I thought he did a nice job discussing why security is such a difficult area for a business to understand. I agree with the points he made that at the most simple level security and risk are abstract, long-term concepts that require a rational approach. Rich did a good (and entertaining) job of illustrating that, as humans, we are often not rational. Generally we deal in the short-term and prioritize with our basic needs. In the context of a corporate environment, understanding and dealing with risk is extremely difficult. I'd add to Rich's discussion that in most organizations building mature risk management is essentially like playing a game of telephone across functional departments, most of which find risk and security to be totally foreign concepts (except, of course, at financial institutions). Rich's thesis created a nice framework for the other core topics at the conference. A number of presentations dealt with the dangers of cloud computing. Because we created the cloud without rationally dealing with risk and security, it's an afterthought; there are huge holes in cloud computing security and therefore significant risk. David Bryan had a great presentation on the subject. The other core topic, PCI, is generally thought of as a compliance issue. Anton Chuvakin put some context around PCI and how it fits as a basis for a security program. I've seen a number of organizations do this, and Anton did a nice job outlining the gaps related to using the standard as a basis. While no standard is ideal, it's a start and generally kick starts a maturation of risk management within organizations that adopt the approach. Overall, the Secure360 conference was very good and the speakers both local and national were great. Kudos to the organizers. I look forward to next year.
[post_title] => Secure360
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => secure360
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:05:54
[post_modified_gmt] => 2021-04-13 00:05:54
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1275
[menu_order] => 873
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[7] => WP_Post Object
(
[ID] => 1282
[post_author] => 6
[post_date] => 2010-04-02 07:00:03
[post_date_gmt] => 2010-04-02 07:00:03
[post_content] => In late March Thales released an interesting report on the state of PCI – “PCI DSS Trends 2010: QSA Insights Report.” The report was written by the Ponemon Institute and it highlights the difficulty of taking into account risk, security and subjectivity within the PCI DSS compliance standard. If you haven’t read it, here’s a link: https://iss.thalesgroup.com/l/program/pcitrendsreport.aspx. First, the insight that only 2% of organizations fail their PCI audits should raise some eyebrows. Taking it at face value (and there’s certainly room for discussion about that) it indicates that, in general, retailers and payment processing related organizations are taking PCI compliance seriously. However, when combined with another observation in the report, that about 40% of organizations are relying on compensating controls, it illustrates the subjectivity of the standard and of the “auditing” process. There are a number of other conclusions that can be drawn from this high pass rate, and hopefully, the Council will look into them. Second, the report says that over 50% of the QSAs surveyed observe that information security is still not being taken seriously by the organizations they are auditing. Even though almost all of the organizations covered in the review are addressing PCI, most are not truly addressing security and, by extension, risk – which is a level of maturity that usually requires enlightened management or a breach. This finding further highlights how important it is for audits to be done by competent and honest auditors. Like the point above, this gets at the core of PCI - the standard and the associated subjectivity should evolve to ensure that security and risk be addressed, not just compliance. Finally, the report states that QSAs feel that firewalls and encryption are the most effective technologies used to protect cardholder data. The number of organizations that think they are doing one thing (with technology) and are actually doing another is amazing. ASV scanning is a very important component of verifying technical compliance, but with self-attestation for many internal components it doesn’t cover nearly enough. With this in mind, the PCI Council should implement further verification to ensure that technology and controls are implemented properly. This would continue to drive the convergence of compliance and security. More reviews - especially third-party - would also help organizations better understand risk and develop mechanisms to mitigate it programmatically. Overall, the report says as much about the state of the PCI standard as it does about the organizations it covers. Some of the more interesting insights are the implications surrounding PCI’s subjectivity and maturity. The positive take away from the report is that it appears organizations affected by the initial PCI focus (retailers and payment processing-related firms) are taking PCI compliance seriously. To achieve the common goal of reducing IT risk related to PCI data, hopefully the Council will be able use this report (and other similar reports) to enhance the standard to cover more security and risk.
[post_title] => Risk, Security and Subjectivity Within PCI
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => risk-security-and-subjectivity-within-pci
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:13
[post_modified_gmt] => 2021-04-13 00:06:13
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1282
[menu_order] => 877
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[8] => WP_Post Object
(
[ID] => 1285
[post_author] => 6
[post_date] => 2010-03-10 07:00:03
[post_date_gmt] => 2010-03-10 07:00:03
[post_content] => I was at the Healthcare Information and Management Systems Society (HIMSS) national conference last week in Atlanta. Overall, the conference wasn’t much different than past years. From an information security perspective the presentations and conversations were limited, but there were a number of interesting things that I took away from the conference. First and foremost, healthcare is still very far behind other industries in addressing security concerns at the application provider, hospital and insurer levels. It appears that the larger application providers have begun to address certain concerns; e.g., most healthcare software companies are beginning to address compliance. What’s interesting is that PCI and PCI PA-DSS are the main drivers forcing these organizations to at least review their products. This is obviously backwards, since any healthcare organization would claim that patient information is more important than credit card information, but it’s a testament to how important the stick of strong regulations and standards are when it comes to affecting change in a specific industry. Healthcare software companies still don’t view security or third-party review of their applications as important, but having seen the findings after many of these applications have gone through review, it’s something they will realize that they need to do. Hospitals and insurers are similarly behind in developing strong information security programs, however many organizations are doing the right thing. It appears that it is mainly larger organizations (revenues $5B+) that have well developed security programs that address risk and compliance programmatically. These organizations generally have the funding and executive support to develop programs that are essentially what you would find in a similarly sized and well-managed Fortune 500 firm. The smaller firms ($5B and less) are generally much farther behind other similarly sized organizations in other industries. Many are just addressing PCI and are just starting to think about how they are going to truly address securing protected health information (PHI). Based on these observations, there is a lot of work to be done to improve information security within healthcare. One would hope that the discussion surrounding this would take place at a conference like HIMSS. While security was not a main track at the conference, there were some discussions on security at HIMSS within the context of the American Recovery & Reinvestment Act (ARRA) and electronic medical records (EMR) security, including a daylong ARRA seminar on Sunday before the formal conference opening. However, since ARRA isn’t focused on security, the coverage of information security within these presentations tended to be somewhat limited. It was very interesting that the Health Information Trust Alliance (HITRUST) was not discussed much at the conference. As the most comprehensive and usable solution for healthcare security, there weren’t any sessions on the topic and even conversations surrounding it were heavily overshadowed by discussions about ARRA. As one of the most valuable new initiatives for enhancing healthcare information security, hopefully this will change next year as the industry begins to understand how the HITRUST security framework can be of value to them. With all the focus and money targeting healthcare IT, the next year will be very interesting and addressing security should be a high priority. Ideally, with the massive amounts of new funding available, more organizations will adopt a risk-based approach to their businesses, backed up by a strong information security program. As illustrated by the success of PCI (even within healthcare), it will probably take a combination of drivers to achieve this, including a strong dose of regulation to force changes within the healthcare industry. Hopefully, the outcome will incorporate standards such as HITRUST to ensure consistency, maturity, and higher levels of security within the healthcare industry.
[post_title] => Observations from HIMSS
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => observations-from-himss
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:09
[post_modified_gmt] => 2021-04-13 00:06:09
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1285
[menu_order] => 880
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[9] => WP_Post Object
(
[ID] => 1301
[post_author] => 6
[post_date] => 2009-11-03 07:00:03
[post_date_gmt] => 2009-11-03 07:00:03
[post_content] =>
I attended the 2009 PCI Community meeting in Europe last week. Since this was a feedback year, there wasn’t a significant amount of new content; however, there were some interesting points regarding PCI adoption in Europe.
It’s been discussed quite frequently that the Europeans are behind North America in implementing PCI, especially at the merchant level. In my experience and based on the discussions at the conference, I’d say this is true. The consensus at this year’s conference was that this situation is beginning to change.
The traditional arguments against adopting the PCI DSS, such as those surrounding increased security due to Chip and PIN, elicited a fair amount of eye rolling even from other Europeans in the audience. One of the other core reasons for slower adoption is that country-by-country legislation already covers much of what PCI does (France and Germany were the two most cited examples). Interestingly, U.S. state-based legislation was cited as a similar and perhaps more stringent (and therefore more effective) means of securing credit card data. In fact, one of the attendees cited my home state’s legislation, the Minnesota Plastic Card Security Act, which, in my opinion, has had very little impact on organizations that do business in the state.
I think that there are three key items that will drive PCI’s adoption in Europe. First, the Europeans will need to understand that, while very effective for face-to-face transactions, Chip and PIN does not protect card not present (CNP) transactions. As more business is done online, organizations are going to need to deal with the issues that PCI addresses and that Chip and PIN does not. Second, and perhaps most important, acquiring banks will need to enforce the PCI standard. This was a key topic of discussion at the conference and one that appears to still be open. Finally and highly related, the card brands in Europe are going to need to support the PCI standard. The commentary that I heard at this meeting was that this appears to be happening. If that is the case, it should only be a matter of time before the acquiring banks—and therefore merchants—take PCI as seriously in Europe as they do in North America.
Since the role of the Chief Information Security Officer (CISO) and how he or she reports has a major impact on security and risk, I think it’s interesting to look at how different organizations have structured the position. With that said, there is very little consistency other than a correlation with the industry vertical’s understanding of IT risk.
Within financial services organizations, the CISO (occasionally the top position is given to a Chief Security Officer (CSO) that owns both physical and IT security) often reports to the Chief Information Officer (CIO). However, at many large financial services organizations, the CISO or CSO reports outside of IT, often to the Chief Risk Officer or other C-level executive.
The CISO position within healthcare has been treated quite differently. Because of HIPAA, many organizations didn’t want to promote the security manager to the CISO position, so they gave their CIO the CISO title as well. There is often a Director or Manager of Information Security a few rungs down reporting to a lower-level manager.
Information security within retail is also quite different. With the focus on PCI, the CISO or director of information security is often tied to the PCI or compliance group. Within large retailers that have loss prevention or risk departments, the CISO sometimes reports through them.
Because of their historic focus on physical security, energy companies often have a CSO or CISO that owns both the organization’s IT and physical security. In some cases I’ve seen this position report to facilities, but usually it reports into operations, and occasionally it reports to the CIO.
The military often leads industry in its adoption of information security practices. One interesting change is that security teams have taken significant ownership of IT leadership. In the case of US Cyber Command, a separate group is being set up outside of IT reporting directly to the highest levels of government. I’m not sure how this change will find its way to the private sector, but it is a very interesting precedent that will likely have an impact on information security and the CISO.
In general, the more risk-sensitive the industry, the higher the up CISOs will report, until they report entirely outside of IT. In many cases, regardless of where they fit in the reporting structure, the CISO will report regularly to the board about the state of initiatives, compliance, audits or assessments. With this type of visibility, I think it’s clear that the CISO will continue to rise in prominence, and the information security reporting structure will continue to evolve. However, it may take a compliance-related mandate within the lagging industry verticals for this to happen quickly.
The news about the sale of the VeriSign consulting team to AT&T suggests that there will be many similar transactions in the near term within the information security market. The investment being made in this market is great, but based on previous experience, a positive outcome is less than certain. From my point of view there have been three stages of roll-up/investment in the market, and each has had limited success.
This first stage included some winners like the VeriSign IPO, and some less successful acquisitions--like The Wheel Group with NetRanger and NetSonar. The acquisitions continued through the end of the Internet boom, with Symantec leading the charge with acquisitions ranging from Raptor/Axent to Riptech. Overall, the outcome was marginal. Many of the purchases were product-oriented, and most of the products are now gone. However, the managed services organizations like Riptech and the independent spin-off of Secure Computing’s consulting team (Guardent) lived on to do fairly well.
The second stage started with the acquisition of Guardent and was followed by similar transactions with Foundstone and @Stake. The NetSPI team had looked at these firms as the industry leaders to be emulated; however, the rumor was that these sales were driven by the investment bankers’ fears of a market downturn (which turned out to be correct). There were other purchases around this time that also fit into a similar category, like BT’s purchase of Counterpane.
With improved market conditions, the IBM purchase of ISS and the MCI purchase of NetSec with the following conglomeration with Cybertrust fall into a third stage. The outcome of these appears to have been OK, but, as with all mergers, there appears to have been some misalignment. As we’re now seeing, Guardent and the related MSS group are being spun-off from VeriSign. This stage now includes the roll-up of security assessment product companies like Sanctum, SPI Dynamics, and Ounce by major technology integrators. Other real and rumored roll-ups include mid-sized VARs like Fishnet and Accuvant purchasing similar companies.
With the VeriSign consulting announcement, we are seeing the continued consolidation of the market. There will likely be more acquisitions, and it will affect the security market and its consumers in good and bad ways. On the positive side, the industry does not yet have a focused leader with a consolidated offering. Symantec and McAfee tried to play this role, but they appear to have given up on it. IBM may have the offering, but since they offer so much else, I wouldn’t call them the security industry leader.
The current trend of carriers and major technology players getting into the space means larger and more consolidated security offerings. The lack of focus may limit the ability of these large firms to continue to offer boutique-oriented services. Additionally, roll-ups that combine security with other offerings introduce a lack of independence. This is a huge issue that doesn’t get discussed much, but it's one that no firm has truly overcome. It will be interesting to see how the remainder of the product companies fit into this stage. nCircle and Fortify are organizations to watch in this regard. It will also be interesting to see how successful the carriers like AT&T and the major tech players like IBM and HP are at integrating security consulting into their organizations.
[post_title] => Mergers & Acquisitions in the Information Security Field
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => mergers-acquisitions-in-the-information-security-field
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:08
[post_modified_gmt] => 2021-04-13 00:06:08
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1313
[menu_order] => 906
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[12] => WP_Post Object
(
[ID] => 1314
[post_author] => 6
[post_date] => 2009-09-28 07:00:03
[post_date_gmt] => 2009-09-28 07:00:03
[post_content] =>
I attended the PCI-SSC community meeting this past week (September 22-24). There were three key issues discussed that showed that the PCI program is maturing and that a number of standards and regulations are converging (both in and outside the PCI world).
The first issue signaled that the council's view of IT risk is maturing. Bob Russo made it very clear in a couple of his presentations that organizations need to focus on security as opposed to just compliance, although there wasn't a lot of detail offered on how to do this. The presentations mainly focused on ensuring that complying with the PCI standard is a year-round activity/program and not something just done for the audit. I’d argue that moving from compliance to security is a philosophical shift that occurs when organizations mature in how they deal with IT and business risk. Generally, the financial services organizations within the PCI community get this. It’s interesting to note that the driver for the council’s new views appears to be the very public breaches that have occurred within PCI-covered organizations over the past 18 months. So, the council has felt the impact. The key question is how the council will help the greater PCI community understand and mature their approach to IT and business risk.
The second, closely related topic was the focus on moving to more of a risk-based approach to implementing the PCI DSS. The council was only lukewarm to this idea, and I agree with their hesitation. Managing a risk-based approach may be something that is incorporated over time, but it adds too much subjectivity to the current PCI program. I think that until more organizations fully and truly implement PCI, such an approach will only muddy the waters. That said, incorporating risk as a consideration is important to an organization’s compliance efforts. As I mentioned above, I think the most pertinent issue is to get PCI-covered organizations to understand IT risk and how it translates into risk to their business. While assessors and many of the banks understand this, some merchants are still a ways off in getting to this level of maturity.
The final and much broader issue related to general standards. The council has always relied on NIST as a guideline, but this year there was much more discussion surrounding NIST, FISMA, and future regulations that will impact PCI. In the keynote, former Congressman Tom Davis discussed the process of passing FISMA. His prediction was that any new information security legislation was not going to happen in the near term. Nonetheless, there appears to be a converging consensus on the value of the existing FISMA and NIST standards. The nuclear power industry, NERC, and a number of the ISACs are strongly considering moves and potentially longer-term mandates that use these federal standards as their direct basis. Ultimately, I think it is very likely that many organizations will use significant portions of these federal standards as their basis. This could be both good and bad and is much easier said than done, but simplification and consistency should help all industries and information security in general.
Overall, the conference was a good barometer on the maturity of the PCI community and I think that, although there have been issues, the program is moving in the right direction.
I attended the Nuclear Information Technology Strategic Leadership (NITSL) conference last week, which featured some very interesting discussions on cyber security. One of the keynote speakers described the state of the industry's physical security, which, when compared with information security, is in very good shape. She discussed the quite substantial investment that her organization had made over the past eight years.
In general, since 9/11 the nuclear power industry has spent billions on physical security upgrades and programs at US plants. This spending is in addition to the significant budgets for physical security allocated since the industry’s inception. Physical security has always been well addressed systematically within plants. This means significant security input from design (Design Basis Threat analysis) through post-implementation testing (Force on Force Drills). Annual spending per plant on physical security is estimated at $10M to $15M.
The impact of a physical security event has the potential to be catastrophic. At the upper end of impact, these events range up to compromise of the core reactor itself. While the impact of an event of this nature would be catastrophic, this risk scenario was planned for in initial plant design and with subsequent physical security programs. So, while the potential impact may be great and the threat high, because of significant risk mitigation through design and ongoing physical security programs, the overall risk is low.
While the impact of a cyber security incident may not be quite as dramatic, it still has the potential to be very damaging. As plant IT environments become more networked and control systems are integrated within IT, the potential for a catastrophic event based on a cyber security incident greatly increases. The threat level is orders of magnitude higher at a nuclear power plant; they are attacked on an ongoing basis.
At the conference last week, the discussion revolved around what the final cyber security standard will be for the industry. There have been steps to develop a common risk and compliance framework through the NRC and NEI, but there has not been agreement on how to secure the US nuclear power industry. This needs to be addressed immediately (and one hopes it will be), but more importantly, power companies and plants need to begin to allocate appropriate budget to implement and maintain their cyber security programs. The investment will be substantial, and the organizations will need to plan accordingly. One way to look at the budgeting for cyber security is that, while it may not be quite as costly as physical security, it will be on that order of magnitude.
Because of increasing threats, high-profile data breaches, and increased awareness of the damage they cause, we anticipate a substantial tightening of regulations and contractual requirements that will significantly impact information security in healthcare.
Today, HIPAA, CCHIT, and state breach notification laws are the main standards that govern security within healthcare systems that deal with protected health information (PHI). But these are generally high-level requirements with low levels of enforcement. The American Recovery and Reinvestment Act (ARRA) of 2009 contains legislation mandating broader and deeper security for healthcare, and the consensus view is that more legislated regulations will follow. The Healthcare Information Trust Alliance (HITRUST) is an industry group that has developed a set of standards, the Common Security Framework (CSF). This set of standards generally follows industry best practices and is very comprehensive. Important members of this group (Humana, United Health Group, Blue Cross Blue Shield, and Columbia HCA, to name a few) are pushing to mandate these standards across the industry. It is possible that many of these standards will be adopted by the group members through a contractual stipulation that the software they purchase meet the HITRUST CSF standards. In addition to HIPAA and CSF, Payment Card Industry (PCI) standards also affect healthcare payers and providers when credit card information is involved in any way (processing, storing, or transmitting). For healthcare payers and providers, the PCI Data Security Standard (PCI DSS) applies. For healthcare software providers whose applications touch credit card data, the PCI Payment Application Data Security Standard (PA-DSS) applies. It is likely that the Obama administration will implement much stricter security standards in healthcare, in conjunction with its emphasis on greater use of electronic health records (EHR). It is also likely that these standards will follow industry best practices and be based on the most successful existing standards, such as PCI and HITRUST. Based on this likely increase in regulations and the increasing number of threats, healthcare organizations should develop a risk-based security strategy that includes industry best practices using HIPAA, CCHIT, PCI and HITRUST as a guide.
[post_title] => Healthcare Organizations and Tighter Security Requirements
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => healthcare-organizations-and-tighter-security-requirements
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:05
[post_modified_gmt] => 2021-04-13 00:06:05
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1319
[menu_order] => 912
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[15] => WP_Post Object
(
[ID] => 1323
[post_author] => 6
[post_date] => 2009-07-14 07:00:03
[post_date_gmt] => 2009-07-14 07:00:03
[post_content] => As a company, we’ve tried to understand which organizations are most likely to mature their information security programs. It seems that the answer should be obvious: organizations with valuable assets or the need to have data highly available should be very concerned about information security. This could translate into organizations that have a lot to lose, ones that have high profit margins, or those involved with the nation’s critical infrastructure. Interestingly, this is generally not the case. In fact, the primary drivers for maturing information security within an organization are regulations or contractual standards with strong penalties for non-compliance. Why is this? One problem is that risk is very subjective. In a downturn, the risk equation can change dramatically. If you are fighting for the survival of a firm, it’s easy to justify not investing in information security. Compliance, however, is not as subjective. While there is room for some interpretation, compliance regulations and standards are stable, detailed, and consistent. This means that compliance is easier to justify, easier to plan for, and easier to assess. But while meeting compliance standards can be a very good thing, it does create a problem: risk is often left out of the equation. For example, payment card industry (PCI) data often gets more attention at hospital systems than does protected health information (PHI). Based on risk, the patient-related data and services should be classified as at least as important as the credit card information. It usually is not, however. Without a risk-based approach or a strong compliance standard like PCI, PHI won’t get the attention it deserves. (The PHI standards are being tightened somewhat, by provisions of the American Recovery and Reinvestment Act, or ARRA, passed this year by Congress.) Compliance can help speed the maturation process, and it is valuable in other ways, but it lacks the depth and breadth of a risk-based approach. Additionally, creating regulations and standards for all things that should be secured just isn’t possible. In an ideal world, organizations will take a more holistic, risk-based approach that includes compliance, but this may have to wait until the economy turns around.
[post_title] => Compliance vs. Risk
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => compliance-vs-risk
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:03
[post_modified_gmt] => 2021-04-13 00:06:03
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1323
[menu_order] => 915
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
)
[post_count] => 16
[current_post] => -1
[before_loop] => 1
[in_the_loop] =>
[post] => WP_Post Object
(
[ID] => 19143
[post_author] => 53
[post_date] => 2020-06-10 12:32:50
[post_date_gmt] => 2020-06-10 17:32:50
[post_content] =>
What cyber security measures should today’s CISOs be taking that are actually helpful in stopping hackers? What strategic areas are worth focusing on and spending money on? And… what’s not working? What programs have CISOs implemented that aren’t returning a good value?
In this webinar, we’ll discuss the building blocks of great security programs from governance, automation, implementation models, and more. We won’t be talking about products and technology solutions you should buy. We’ll be offering practical advice about what you need to focus on to protect your systems.
Key Takeaways
Building blocks of a great security program
What’s working to identify and counter hacking
What are leading organizations doing within programmatic testing
How to build a strong team and governance within your team
Core areas that every security organization should be focusing on
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.
