“Most software failures and data breaches aren’t inevitable; they are the result of neglect and underinvestment in product reliability and security.” This quote is from a New York Times op-ed piece about Equifax’s “maddening response” to the theft of personally identifiable information (PII) it stores on as many as 143 million Americans as well as British and Canadian consumers.
Faced with a hostile press, consumer backlash, a plummeting stock price, possible fines, and congressional scrutiny, Equifax’s CEO said, “We are conducting a thorough review of our overall security operations. The company’s CIO and CSO retired shortly thereafter.
How would your security program fare under your CEO’s spotlight? In this age of Big Data, is hacking impossible to avoid? The following authors and speakers offer guidance on how security leaders can reverse any lack of oversight or underinvestment in products and policies that can secure PII data collected and stored by myriad public and private enterprises.
» Additional related resources include our
Internet of Things spotlight «
Free Cybersecurity Resources
(All resources are free - login/creation of free account required)
View all past Security Spotlights
ASIS Councils Resources
Mirai Attack – Incident Summary and Recommendations
ASIS Information Technology Security Council
This paper reviews the details of the October 2016 Mirai attack that overwhelmed Domain Name System (DNS) servers. This distributed denial of service (DDoS) attack used bots almost entirely comprised of hacked IoT devices, including IP security cameras and DVRs. The paper offers ten recommendations that can avoid a repeat of this type of attack as well as links to definitions and articles.
ITSC Top 6 Control Systems Security Recommendations
ASIS Information Technology Security Council
These recommendations advocate using vendor best practices on system deployment, treating data within physical security infrastructure as sensitive enterprise data, and instituting system documentation, planned maintenance, and oversight of vendor supply chains.
ASIS International Seminar Sessions
Data Breaches and Digitization – ASIS 2016
CSO Center for Leadership and Development
- Axel Petri, Senior Vice President Group Security Governance, Deutsche TeleKom AG
The speaker believes security professionals should counter cyber threats through education, funding, standardization, and encryption. He advocates public/private cooperation to develop cyber SWAT teams that can act immediately when an attack affects a government or company. Ultimately, he feels hopeful about the future of the Internet because the stakeholders have a common goal: “maintaining the Internet as the indispensible and trusted backbone of our digital future.”
After the Data Breach – ASIS 2016
- Richard Wright, CPP, Director of Global Security Operations, VDI, Inc.
- Bruce Blythe, Chairman, R3 Continuum
- Hart Brown, Vice President, Organizational Resilience, HUB International
- Rachelle Loyear, Director of Business Continuity Management, Charter Communications
After examining the business and personal costs of a data breach, the speakers conclude that non-traditional responses must be a part of the solution, focusing on human factors, communications, and a coordinated crisis response team that identifies responsibilities and final authorities. The goal is to prevent day-to-day incidents from becoming a full-blown crisis. Awareness is key: an informed user behaves responsibly and takes fewer risks.
Cyber Risks to IoT and Building Controls – ASIS 2016
- Coleman Wolf, CPP, Security Lead, ESD Global, Inc.
- Rodney Thayer, Convergence Engineer, Smithee, Spelvin, Agnew & Plinge, Inc.
The speakers also show how attack systems can steal social security numbers and email addresses from https pages and browser cookies. Lessons learned include the need to use encryption and manage personal credentials through strong passwords.
» View the associated handout for this seminar presentation
Security Management Articles
“Data Breach Trends”– August 2017
In May 2017, the United Kingdom’s National Health Services confirmed that it had been hit by a massive ransomware attack that was spreading around the globe. Subsequent actions effectively stopped WannaCry, ransomware that affected 20,000 computers globally and demanded that users pay about $300 in Bitcoin to decrypt their data. Changing tactics explored in the article will likely make future versions of ransomware even more powerful.
“The Cyber Incident Survival Guide”
– July 2017
To help security leaders plan for the worst and know what to expect in the aftermath, the article includes thoughts from experts about their best practices for cyber incident response.
“Insuring Data Loss”– May 2017
The cyber insurance market is expected to at least double in value by 2020. But only 25 percent of U.S. companies have a policy today. The article explores how the industry—and its perspective customers—will evolve.
The Cybersecurity Challenge– June 2017
- Christian Morin, Vice President of Cloud Services and CSO, Genetec
Modern surveillance technology delivers unprecedented amounts of data to public safety agencies and enterprises. With this data, enterprises face a variety of opportunities, benefits, and challenges when considering how to approach corporate security. The speaker discusses the “security of your security” and ways security professionals can contribute to the overall cyber health of the organization.
ASIS Supports the Promoting Good Cyber Hygiene Act – 14 July 2017
This bill instructs the National Institute of Standards and Technology to establish and make accessible online a baseline set of voluntary best practices for good “cyber hygiene” that can be used by private sector organizations and individuals.
DHS Update on Cybersecurity Executive Order– 11 July 2017
The order initiates four actions to improve the U.S. cyber posture and capabilities in the face of intensifying cybersecurity treats to its digital and physical security.
ASIS Sends Letter of Support for MAIN STREET Cybersecurity Act– 5 April 2017
The legislation emphasizes years of cooperative efforts by industry and government to produce risk management tools that support the cybersecurity needs of small and midsized businesses.
Commission on Enhancing National Cybersecurity Report– 9 December 2016
The President’s commission was charged with assessing the current state of cybersecurity in the U.S. Their final report describes actionable recommendations for securing and growing the digital economy by strengthening cybersecurity.
National Cybersecurity Awareness Month (NCSAM)
This initiative is observed every October under the leadership of the U.S. Department of Homeland Security and the National Cyber Security Alliance. Now in its 14th year, NCSAM focuses on a different cybersecurity issue for each week: STOP. THINK. CONNECT. Simple Steps to Online Safety; Cybersecurity in the Workplace is Everyone’s Business; Today’s Predictions for Tomorrow’s Internet; The Internet Wants You: Consider a Career in Cybersecurity; and Protecting Critical Infrastructure From Cyber Threats.
“New NIST Guide Helps Small Businesses Improve Cybersecurity”
This guide, from the National Institute of Standards and Technology, is written for small-business owners not experienced in cybersecurity and includes steps they can take to better protect their information systems.
European Cybersecurity Month
ECSM is the EU’s annual awareness campaign that takes place each October across Europe. The aim is to raise awareness of cyber security threats, promote cyber security among citizens and organizations; and provide resources to protect themselves online, through education and sharing of good practices.
Cybersecurity Awareness Month
Americans, along with people around the world, depend on the Internet and digital tools for all aspects of our lives—from mobile devices to online commerce and social networking. This fundamental reliance is why our digital infrastructure is a strategic national asset, and why its security is our shared responsibility. This month, we recognize the role we all play in ensuring our information and communications infrastructure is interoperable, secure, reliable, and open to all.
ISSA, an ASIS partner, adds three articles from the ISSA Journal
"Addressing Malware with Cybersecurity Awareness," October 2017
Author: Carlos Valiente, Jr.
People are your biggest asset and weakest link. Investing in cybersecurity awareness training is the most cost-effective and efficient method to deter malware in organizations today.
“The Future of Cybersecurity Needs Eyes and AIs on the Inside,” August 2017
Author: Jason Kichen
Inside the network, IT and security data collection is often plentiful but underutilized. This data can be used to establish “network normal” behavior and serve as the foundation for the application of artificial intelligence to uncover the behavior of an adversary. Once inside the network, the adversary is the weakest and most vulnerable.
“The Why’s and Wherefores of Innovation in the World of Cybersecurity,” April 2017
Author: Avani Desai
Fifteen years ago, the security market was much smaller with an eclectic mix of commercial and open source tools. Now, there is a tidal wave of security vendors offering a staggering number of options. The author looks at the driving forces behind the vanguard in security and the new technologies that make up second-generation security solutions.
"When Baby Monitors Become Weapons," March 2017
Author: Emily Duke
This article explores the legal framework in which IoT device manufacturers operate, relevant regulatory enforcement actions against companies for unreasonable security and privacy practices, and resulting changes that the IoT device developers should consider integrating into their development practices to avoid legal hot water.
“Machine Learning: A Primer for Security,” January 2017
Author: Stephan Jou
The author examines how machine learning can be leveraged to address the practical challenges of delivering lower-cost security by resolving more threats faster with fewer resources. He focused on machine learning security techniques that work at typical levels of data volumes, from those operating with “small data” to those implementing data lakes.
Security Management Column
The monthly benefit of ASIS membership, Security Management, includes a column on Cybersecurity in each issue. To review an archive of all articles in this category, log onto
sm.asisonline.org and click on the Cybersecurity tab. Articles are separated into five categories: Cloud Security, Cybercrime, Defenses, Mobile Security, and Social Engineering. The following articles are a sample of what’s online.
- “Cyber Trends,” September 2016
- The article highlights major issues that will affect the cyber threat landscaper in the near future.
- “How to Protect PII,” February 2016
- Four ways companies can avoid large fines, legal action, and a damaged reputation when the PII they hold is breached.
- “Smart and Secure,” January 2016
- Securing Smart Cities (SSC), a not-for-profit global initiative.
- “The Top Five Hacks From Mr. Robot—and How You Can Prevent Them,” October 2016
- The TV show highlights ways to combat five types of hacking attacks.
ASIS Information Resources Center (IRC) Security Databases & Library Catalog
An IRC PDF provides access to reports, essays, news, and opinions from thought leaders involved in creating policies and practices on cybercrime topics. To access these resources, sign in to the ASIS website (www.asisonline.org) and type
Information Resources Center Cybercrime and Cybersecurity Information Sources into the search box.
Additional resources can be obtained by navigating the library’s Security Database & Library Catalog. For more help and search suggestions,
email questions to the librarian.