Friday, April 24, 2020

Don't lose your work while you're overworking...


I was doing my daily work, and listening to The Chainsmokers on my Pandora playlist. An excerpt from a Podcast came on.  Slightly annoyed that I pay for Pandora Premium and I’m still hearing commercials, I decided to stop and listen. The singer said he was flying home from Vegas and had 3 weeks worth of work on his laptop. He looked down and saw the infamous “?” question mark on his folder. Disparaged, he opened it up and as he suspected – his work was gone. The excerpt then cut off, so I will never know which song it was, but lol.

This striked me up to discuss the relativity of Backups. Availability is one of 3 points on the CIA triad in Cybersecurity. Network Availability relies heavily on utilizing and possessing backup hardware devices, and Backing up important software. Why is it important? What are you going to do in the even of an unexpected disaster? A hurricane? A fire? A global pandemic? Literally? Like I mentioned in my late
st article – you need to be prepared, and MOST importantly, you need to know how to be prepared. In my own experience I’ve suggested backups to clients and corporations, mostly with pushback. Why? Because they didn’t want to spend the money.

And when COVID-19 happened boatloads of professionals unexpectedly lost their jobs. Why? Because they weren’t prepared. They didn’t allow remote access. What’s a VPN? Was that wise? Looking back, did you not allow remote access because you’re stuck in your ways and can’t adapt to change?  I can guarantee if you are one of those people you are sitting at home on your couch right now blaming everything on millennials, lol. I’ll delve more into Remote Work and the future of the workforce later on. For now, I would like for you to take a step back and really think about whether or not backups are necessary for your or your business. Don’t forget – like I mentioned at the beginning – The Chainsmokers lost 3 weeks’ worth of work and 2 songs because of the infamous “?” question mark folder.

Conclusion? If a hard drive has a failure, an unexpected disaster happens, or any other type of software or hardware corruption, YOU need to be able to restore that information. Don’t lose 3 weeks worth of work. Want to know how to Backup your system? Hit me up!

Tuesday, April 21, 2020

Are you Process Oriented or Action Oriented? BCP, Incident Response, and DR

Incident Management is one of the most important aspects of protecting your system. In fact, Incident Management will help your business when it comes to Incident Response by ensuring that your business responds appropriately. In my own opinion, and as a Resident of New York State, I am seeing in Realtime how lack of Incident Management support is creating a trickle-down effect and our own government is simply being reactive/not proactive. Our requirements and laws change daily, one minute something is open the next it is closed, most humans didn’t abide by the stay-at-home order to begin with and trying to manage humans is arguably one of the most dire tasks in any field. But we can talk about theories, laws, physics, and human psyches later.

What is Business Continuity Planning (BCP)? In order to minimize the impact of any risks to organizational processes, BCP generates Plans, Policies, and Procedures for your Company to utilize in the event of an unexpected disaster. Cough* Cough* COVID-19. I remember writing a blog about this in 2018 which was fun to write, but at the time I found it difficult to find a relevant Crisis to help highlight the relevance and importance of having a BCP plan. With a BCP, your business can continue operating before, during, and after an Emergency.

 So, let’s be Proactive and not Reactive in our response to the Trickle-Down Theory. From the Top Down – BCP wants to be a calm, quick, and effective response to an emergency. The focus is on your businesses ability to recover as-soon-as-possible. There are Four main steps to the BCP process. These vary depending on your organization, but essentially they all seek the same outcome. This is where I want you to consider my title - Are You Process Oriented or Action Oriented? Or both? Do you make time for important processes? Or do you just take action when you need to?

The First Phase You Should Consider -
Dependent on the size or your organization and the nature of your business, Phase One relies on a methodology that has been previously demonstrated to the organization as a no-fail plan. This step includes:

Examination of the way your business is organized; from a crisis perspective

With approval of Senior Management; the formation of a BCP Team

 Valuation. An internal appraisal of your businesses available resources that can participate in BCP undertakings

Write this down – Evaluation of Legal and Regulatory Requirements which oversee your businesses response to a  cataclysmic event

To Learn More about BCP, DR, Incident Response, or other Cybersecurity related inquiries, send me your info and I will get back to you as soon as I am able.

About the Author - Ashley Oliver is an experienced Cybersecurity Consultant, Engineer, Mentor and Teacher based in the Central New York area. Ashley has over 10 years of experience. Ashley is a SME in several areas of security including Network Security Engineering, Architecture, Policy, Standards, and Compliance. Ashley's rare and unique experience is based on her love for the Shell, and perfect design. Ashley has knowledge of NIST, and is very proficient in Cybersecurity, Network Security, Next-Gen Firewalls, Layered Security, DLP, Encryption, IPSec, and more, and she is always more than willing to share and to teach.

Thursday, April 9, 2020

Guest Blogger - Stuart Barker on Cybersecurity

ISO 27 I don’t think so

ISO 27001 is the international standard for information security and there is one thing most technical security professionals can agree on it: it won’t stop you getting hacked. Now I agree to some extent with that sentiment but is not intended for that purpose. What ISO 27001 is is an information security management system. What that means in practical terms is it is a management system backed by a lot of documents. You can be looking in the region of 27 core documents for the ISMS and some 23 policies depending on what your products and services are. As a standard it covers managing information security not out of the box securing your business. What does cover securing your business is Annex A, often referred to as ISO 27002. This is a list of 114 controls that cover all aspects, disciplines, departments and parts of your business as they relate to thing you are trying to secure. These are a list to chose from formulated by industry experts as the low level entry and most commonly agreed controls. The standard doesn’t tell you how to implement the controls and that is where the magic of network security professionals comes in but it does look at the common controls that you would want. By way of example: 13.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. 13.1.1 Network controls Networks shall be managed and controlled to protect information in systems and applications. 13.1.2 Security of network services Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. An ISO 27001 certification is usually a requirement of your clients and customers. No one is going to the hassle for the laugh. There is a compelling commercial reason to do it. The way it works is that the certification body will audit you against the standard AND the controls that you say you have. Let's face facts, no all auditors are experienced in all aspects. It is likely technically you can run rings around them when it comes to network security. That isn't in the spirit of what is intended but it is possible to bamboozle an auditor into these are the droids he is looking for and pass. The upshot is that yes, ISO 27001 on its own does not stop a business being hacked or make it inherently more secure. But it gets a business to think about it and demonstrate to those customers that you take it seriously and someone has checked it. For me it makes senses when the clients and customers say it makes sense.

Author: Stuart Barker - The Data Security Guy

Stuart at High Table specialises in fin tech and financial services companies with over two decades of experience delivering legal and regulatory compliance for data. He specialises in getting and keeping companies compliant for data security which usually means ISO 27001, PCI DSS, SOC 1 and SOC 2 certification and regulations like the FCA regulations for data security. He started, built and successfully sold a cyber security business. Now he advises companies and builds data security capability allowing them to meet the needs of their customers, the needs of their funders and the needs of the law. Usually in that order. He is also a driver in addressing isolation, wellbeing and mental in business and building emotionally intelligent people networks.