26 April 2024

Navigating Wisdom: Partners in True Innovation...

Before you were wise, you were prone to be testing, wondering what would happen next.

The more you found yourself exploring, testing and better understanding the results, the more wisdom you created.

Creating the opportunities for gaining new knowledge and learning, requires first an attitude of curiosity.

What is on the other side of that hill? Who lives around the corner? How does a bird fly? Why does the sun shine during the day and the moon at night?

Are you creating curiosity with the purpose of learning more and asking new questions?

After the process has been repeated enough times with the same results, you begin to craft your own hypothesis.

True Innovation begins here.

Beyond your curiosity stage and past your due diligence, now you have arrived at your new hypothesis:

1 a: an assumption or concession made for the sake of argument

b : an interpretation of a practical situation or condition taken as the ground for action

2 : a tentative assumption made in order to draw out and test its logical or empirical consequences

3 : the antecedent clause of a conditional statement

Now your testing begins and you experience the outcomes and results. The evidence of your work will provide you the path for your future navigation.

Too fast, too slow. Too hot, too cold. Too high, too low. Keep testing.

So what kind of “Innovation Navigator” will you become?

Time will tell and much of what happens in your life is going to be a factor of the people you meet.

Who else has the same curiosity as you do? What questions do they ask that you never thought about?

You see, you need a Team Mate. A Wing Man. A Buddy. Together you will discover far more about your growing curiosity and your new tested hypotheses.

You will leverage each others strengths together and you will cover each others vulnerabilities.

How wise will you both become as “Innovation Navigators”…

19 April 2024

Dream: Smell the Flowers…

What is your next dream? How might you envision it even more effectively?

As a young kid one of the books Mom & Dad would read to us started off like this:

“Once upon a time in Spain there was a little bull and his name was Ferdinand. All the other little bulls he lived with would run and jump and butt their heads together, but not Ferdinand. He liked to sit just quietly and smell the flowers.”—By Munro Leaf & Robert Lawson - Copyright 1936 - Viking Press

In your own life journey in search of “New”, new change, new environments, new people, new places and where your next destination will be, you shall continuously Innovate, Adapt, Test and become even more Resilient.

You see, your dream is out there. You can see it and you are able to feel it.

The reality is that you are impatient. You will not have time to test long enough.

This is when the surprises become a reality. You are caught off guard, you experience an error, you experience a loss.

What is your back up “Just-in-Time” plan?

How shall you implement the plan of actions with scarce resources?

Do you have a path to eliminate the delay or to restore the loss quickly? How will you achieve true resiliency?

Our true professionals in Operational Risk Management (ORM) dream just like everyone else.

Yet, they dream and envision the “What ifs” and the possible ways to respond. They anticipate the ways to bounce back, restore balance and move forward:

  • Accept risk when benefits outweigh the cost.
  • Accept no unnecessary risk.
  • Anticipate and manage risk by planning.
  • Make risk decisions in the right time at the right level.

Now, envision your dream with some interruptions. Then see yourself quickly recovering to achieve your planned “Mission Objective”.

What have you learned this year, this month or this week?

In 2024 and beyond, our International Globe and its people will continue to challenge all of us.

Our countries and their businesses are accelerating towards the future with exponentially more data and with so much less understanding. We may also have less empathy.

You and your team can change this as you strive together to understand more about the “Why” and the “How”.

Will you grow with your new trusted partners to be even more empathetic?

Always be Ready…and try to take time to ”Smell the Flowers”.

Godspeed!

13 April 2024

Corporate Business Survival: 4D | Deter. Detect. Defend. Document.

Critical Infrastructures are those systems and assets - whether Physical or Virtual – that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters.

As ransomware attacks continue to grow, organizations need to improve their security posture to protect against an attack.  Better security requires implementing appropriate security controls and ensuring that effective crisis management and employee education are in place.

The landscape of how we work has changed since the onset of the global pandemic.  We must assess vulnerabilities in a new way and with increased due diligence.

Our Corporate Critical Assets are "Under Attack".

4D = Deter. Detect. Defend. Document.

"Attackers use Tools to exploit Vulnerabilities. They create an Action on a target that produces an Unauthorized result."

Attackers do this, to obtain their Objective.

LESSON 1- DETER.

  • What corporate critical assets are most valuable in the eyes of your adversary?
  • Increase deterrence with these assets first.
  • MFA / Layered Access.  [SMS vs. Authy or Authenticator]]
  • Segmented Networks.
  • Data / Network Encryption.
  • People motivated by Financial Gain, Damage/Disruption or the Challenge.

LESSON 2 – DETECT.

  • Detect the use of tools by the Attackers.
  • Some tools are High Tech, others are "Social Engineered".
  • They will discover vulnerabilities in:

Design.

Implementation.

Configuration.

You must continuously detect the use of attackers methods and tools to exploit your vulnerabilities.

LESSON 3 – DEFEND.

  • Defend the target assets from actions by the attackers.
  • Targets may include people, facilities, accounts, processes, data, devices, networks.
  • Actions against the target are intended to produce the unauthorized result include:

Probe.

Spoof.

Steal.

Delete / Encrypt.

LESSON 4 – DOCUMENT.

  • Document the "Normal" so you know when and where there is an Unauthorized result:

Increased Access.

Disclosure or Corruption of Information.

Denial of Service or Theft of Resources.

  • Continuous Documenting and using a "Collection Management Framework"  (Logs) and how to access it for effective Incident Response.

1_ In order to understand how to defend your corporate critical assets, use Red Teams, Bug Bounties or internal testing resources.

2_ Maintain offline, encrypted backups of data and regularly test your backups.

3_ Review Third Party or Managed Service Provider (MSP) policies for maintaining and securing your organizations backups.

4_ Understand that adversaries may exploit the trusted relationships your organization has with third parties and MSPs.

The cost of a cyberattack is often significant for organizations large and small, and we must strengthen responsiveness and reduce behaviors that may open vulnerabilities in the future.

Public Private Partnerships of Critical Infrastructure organizations with CISA.gov and FBI.gov are vital to enhance our National Security...

06 April 2024

Vulnerability: Launching into the Future...

Looking in the rear view mirror from the Spring of 2004, the InfoSec World Conference in Orlando FL was on the calendar.

Our flight from Washington, DC provided just enough time to plan out the sequence of sessions and events to attend in order to explore any new innovations.

At that point, we were now only in our first decade of our "Information Security" evolution.

"Before “The Cloud”. Before IT standards could truly grasp the spectrum of sophisticated exploits, that were soon to be developed by other Nation States."

The guidelines and metrics developed that year by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys.

The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities:

>>Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days and for internal systems is 62 days. This number doubles with lowering degrees of severity.

>>Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. In other words, there is a constant flow of new critical vulnerabilities to manage.

>> Persistence: The lifespan of some vulnerabilities and worms is unlimited. In fact, the research shows significant spikes in the occurrence of Blaster and Nachi worm infections in 2004, months after they originally appeared.

>>Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities.

The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program.

"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, Senior Analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."

Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:

1. Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.

2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.

3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to critical assets.

4. Audit: Security officers should utilize the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.

Soon after the business trip to this InfoSec World event, the notes written then can still provide us additional vital context, as we commercialize our travel to Space.

They give us some basis for how over two decades later, the best practices are still very much the same.

Except for this.

Today, "Vulnerability Management" now has the Cloud, Quantum and more powerful AI…