Enterprise Security Risk Management (ESRM): Be Proactive…

What are three major questions that most CxO executives and Boards of Directors need to answer when confronting information security issues:

1. Is your security policy enforced fairly, consistently and legally across the enterprise.
2. Would our employees, contractors and partners know if a security violation was being committed?
3. Would they know what to do about it if they did recognize a security violation?

In today’s complex 5G wireless world, global supply chains, nation states or insider threats to the information infrastructure of a company or government agency are not static, one time events.

With new exploits, vulnerabilities, and digital attack tools widely available for download or X-as-a-Service (XaaS), a “complete information security solution” in place today can easily become outdated and incomplete tomorrow.

As a result, a comprehensive security architecture solution must be flexible and dynamic, continuously monitored and updated.

Presently, the news of “Zero-Day” digital-threat events tends to spread through the computer security world in a “grapevine” manner.

Threat information is obtained from specialized websites, e-mail listservs, cyber managed services and countless other informal sources.

This haphazard system is incomplete and therefore raises enterprise security risk management concerns when evaluating the damaging, costly effects of an aggressive, systematic digital event.

A comprehensive security solution requires the careful integration of people, processes, systems and external events that allows correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles.

To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape.

Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs.

Proactive Awareness and the ability to make informed decisions are critical.

So what?

In short, as our global electronic economy plays an increasing role in the private and public sectors, critical infrastructure organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity.

Realizing these gains, depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors.

This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business ransomware disruption).

The cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on our integrated systems with partners, subsidiaries and your vital supply chain.

Be proactive…

OSINT 2: When is it Time?

Wonder why some companies don't have a more proactive OSINT (Open Source Intelligence) operation inside their own institution, looking at and analyzing potential “Threat Intel” across their global domains?

While there are very expensive services that can package up exactly what you are looking for, sometimes it just takes a little more time and the right “Sources."

You could get a service at x-iDefense or even a more wide range of collection capabilities from the likes of x-Cyveillance to assist the in-house OSINT operation.

Throw in some Stratfor, OSAC and one or more variations of Symantec or Qualys or Seerist and you have it mostly covered. Except for one thing.

Plenty of "Gray Matter.”  How many qualified analysts do you have on your team?

We might agree that there is more information out there than anyone could possibly imagine accessible with a few clicks and keystrokes.

Yet the easy part is the collection and the filtering or storage. Making any sense of it all with the relevance you seek is the "Holy Grail" for you, today.

Yet that might change tomorrow.

It's the consistent development of a new hypothesis and testing it that determines who will get the next new piece of information ready for OSINT.

And still the question remains. Will this be better kept a secret, or out in the “Wild"?

The argument usually isn't whether the results of the test should be published, it's more about when to publish.

Open Source Intelligence is going to be around for some time to come. The tools are getting even better to find and process massive volumes of information.

Think AI.  Think GPU.

The only real impediment will continue to be those who want to wait and hold on to it, a little longer…

SPRINT: Folin Lane to Cislunar...

It was the year 1997 and there was another client meeting at the headquarters of Navy Federal Credit Union in Vienna, Virginia.

Traveling through Tysons Corner on Route 7, the Spring colors from Dogwoods were in full bloom. The Navy Federal HQ was tucked away in the woods just a short ride down Chain Bridge Road (123) past Westwood Country Club then a left onto Folin Lane.

The IBM Personal Computer was just now quickly replacing the old CR terminals sitting in the "Teller Windows" at 80+ branches in port locations across the USA and the world.

With NFCU overseas members branches today in Bahrain, Cuba, Greece, Guam, Korea, Italy, Japan, Singapore and Spain the Internet and use of banking protocols outside proprietary computing networks was just in it’s infancy.

Meeting up that early Spring day with NFCU key IT executives and our fellow Noblestar Team of outside Software Quality Assurance (SQA) experts such as David, Gia and Howard, the topics on that days agenda was the automated testing for bugs.

"No not Cicadas. You know, Vulnerabilities. Software Errors. Cracks in the Code."

Places that credit union software systems might be broken, running across the new IBM PCs networked to replace the terminals (CRT) from Annapolis to San Diego to Guantanamo to Italy.

Our innovation then in Software Quality Assurance, was about writing automated scripts that would rapidly test software.

The testing scripts developed by our Team in the SQA software, would help simulate hundreds of real people working at their new IBM PCs doing deposits, transfers and withdrawals as just one example.

Members of our Armed Forces who were NFCU customers (members), were counting on the IT personnel in Vienna, VA to help their branch managers keep their systems up-time-all-the-time, without vulnerabilities to the swarm of growing cyber exploits via the Internet.

So what?

True innovation begins with discovering a problem-set that has high value. Then figuring out if it can be solved quickly. A SPRINT.

To find a real solution to the problem-set that allows for the widget, the software, the process or the vehicle to do its job. What it was designed to do.

Whether it is software running on the IBM PC at the Teller Window at NFCU in Guam in 1977 or the sophisticated cislunar software running on a Space Force Lunar Lander on the Moon in 2024, what matters most?

Our United States next generation abilities to use software to more rapidly discover problems and test new versions is even more vital.

Now imagine, humans working with new AI-powered software applications to augment our abilities to discover and rapidly solve new sophisticated problem-sets, a galaxy away.

This is already our SPRINT destiny…

Critical Infrastructure Protection: Resolve to be Ready...

CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises.

Now that threats to government and business operations are becoming ever more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety.

Consistently the conversations are not about “if” something is going to happen, it is about “where” or “when” it is going to happen.

In order to introduce new changes in process or design that impacts the physical or operational aspects of critical infrastructures (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners.

Therefore, it is imperative we initiate a proactive hedge against the inevitability of a loss event occurring in the future.

First however, we must understand the character of terrorism risk in critical infrastructure and some of the anti-terrorism tools currently available to help manage that risk.

The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. Think “Ransomware” or even Colonial Pipeline.

The assessment of terrorism vulnerability in key structures identified as soft targets can be a key component of the rating of risk for a specific structure.

In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat profiles.

These need to be exercised on a continuous timetable with extensive documentation, training and reporting.

In order for insurance brokers to accurately represent their buyers mitigation programs and measures to the direct insurers, they must have a foundation of knowledge about the structures physical vulnerabilities.

However, even more essential is the understanding of the operational and human attributes of the building that are contributing to the proactive tactics to prevent losses and further exposures to potential terrorism risk.

If this step takes place, the insurers can better evaluate these operational and human elements to determine the value and effectiveness of these tactics so that they can be considered for premium reductions.

The building itself, two miles from The White House, 10 Downing Street or the Eiffel Tower, has little chance of moving outside the high-risk zone for terrorist events.

The only methods for reducing risk exposures are to dramatically impact the operational and human elements of the building to mitigate hazards and increase the survivability of the people and systems that are resident.

As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk and protect critical infrastructure, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount...