Category Archives: Security

Who checks the checkers?

Compliance with law and compliance with policy and procedure are relatively easy to establish.  But compliance with ethics?

“Journal Reporter Fired Over Ethics,” The Wall Street Journal, June 22, 2017 A2.  A foreign affairs reporter at The Wall Street Journal was fired for something related to “his dealings with an aviation tycoon whom he had cultivated as a source.”  Further details weren’t provided.  It may have been the offer from the tycoon of a share in one of his companies.  Perhaps he wasn’t totally honest with the paper about something (but we don’t know what, yet).  A violation of journalistic ethics?

All this may have been revealed following a hack of email or text messages, or both.

Seems a bit squishy without more details as to what were the ethics and what was the violation.  Were I a reporter for the paper, I’d be curious what the lines were and how were they crossed.  This perhaps goes beyond the common stricture of “Don’t lie, cheat, or steal.”

Were this a corporate exec or a governmental official, would we get more detail?  Who checks the checkers?

Leave a comment

Filed under Compliance, Controls, Culture, Duty, Employees, Governance, Internal controls, IT, Oversight, Security

Contractors and the Cloud

Do you have contractors who analyze your data for you?  Do they use cloud storage?  Do you know?  How secure it that?  Is that prohibited by your service contract?

“Data on 198 Million Votes Exposed Online,” The Wall Street Journal, June 20, 2017 A4. Deep Root Analytics, a Republican party consultant, used an online storage system that was reportedly open to the world for several days.  Most/some of the information exposed was publicly available information on voters.  A lot of voters.

Well, at least the Russians (or the DNC) didn’t hack it.  Or did they?

What controls do you have that protect information your consultants are using and the opinions you are paying them to provide you?  Do you care?  It’s not like it’s money or anything.

Leave a comment

Filed under IT, Security, Governance, Protect assets, Controls, Third parties, Board, Management, Protect information assets, Protect, Oversight, Access, Duty, Vendors, Corporation

Kidnapping v. stealing information

One unique aspect of information is that it can be stolen, yet remain in the owner’s possession.  Apparently, medical facilities are required to report if your medical information is stolen, but not if it is merely kidnapped and held for ransom.

“Some Cyberattacks Go Unreported,” The Wall Street Journal, June 19, 20127 B3.  Whether hospitals need to report a ransomware attack of their files as a data breach is a “gray area,” and the federal government doesn’t require such reports, even if the government knows about them.  Some hospitals don’t report ransomware attacks, so these attacks are not in the HHS statistics.

So, patients don’t know when hospitals have weak security protection.  What value, then, are the government statistics?  Do they need a big asterisk?

 

Leave a comment

Filed under Controls, Corporation, Data quality, Duty, Government, Information, Internal controls, IT, Legal, Requirements, Security, Third parties, To report, Value

Weakest link

Where do you start if you want to pierce a corporation’s cybersecurity protections?  The CEO.

“Goldman, Citi Bosses Duped by Email Prankster,” The Wall Street Journal, June 13, 2017 B11.  Although nothing confidential was leaked, the CEOs bought into phishing emails.

Hard to blame the Chief Information Security Officer.  One assumes there’s a policy in place, but can you write a policy to protect against this?  Who else in the corporation isn’t following the existing policy?  How do you fix? Two-factor authentication for every email to/from a senior exec?  Encryption?

Leave a comment

Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Management, Policy, Security

We have a Winner

What do you do when you discover who violated the law by leaking a classified document?  You arrest them.

“Contractor Charged in Leak,” The Wall Street Journal, June 6, 2017 A4.  Reality Winner, an employee of a contractor for the NSA, was arrested and charged for leaking a classified document to the news media.  A criminal offense.

Interesting story of how the government found out.  A news agency provided a copy of the document and requested the government to confirm its accuracy.  The government could tell from looking at the copy that it had been folded, and concluded someone printed it out and sneaked it out.  IT logs showed six people had printed it out.  The computer of one of them showed email contact with a news agency.  When questioned, Ms. Winner fessed up.

Common themes:  the NSA needs to watch the employees of its contractors carefully; IT has a record, somewhere; criminals get arrested; a newspaper can inadvertently disclose confidential sources.

 

Leave a comment

Filed under Access, Controls, Corporation, Duty, Employees, Governance, Government, Information, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Vendors

Hacking hackers

“In Cyberwar, Spies May Be Targets,” The Wall Street Journal, May 25, 2017 B4.  In a breach of protocol, the hackers behind the WannaCry ransomware attack may be releasing the names of some of the hackers working for the NSA.  Certainly cuts down on their foreign travel.

If they can’t keep their own secrets secret, what’s a body to do?  Will this shut them down?

How well does your company keep its secrets?  How important is it to your employees?

Leave a comment

Filed under Access, Business Continuity, Controls, Duty, Government, IT, Privacy, Security, Third parties

Where does one start?

Two front-page items today relating to information and governance and compliance, or some combination thereof.

Trump Shared Secrets With Russians,” The Wall Street Journal, May 16, 2016 A1.  President Trump shared  with the Russians “sensitive intelligence” received from an ally.  May have compromised the source.

“Hack Probe Zeroes In on How Virus Invaded Networks,” The Wall Street Journal, May 16, 2016 A1.   WannaCry ransomware infects various networks worldwide.  Similar to an NSA hack, or are you still using XP?

Regardless whether the President shared actual sources and methods, or just enough to figure them out, this bears scrutiny.  What impact (cost) will this have on future intelligence sharing by allies?  Who in your organization has access to secret stuff, and how well do they manage it?

As for WannaCry, are we really only secure as our weakest link?  Lots and lots of links.

 

 

Leave a comment

Filed under Access, Controls, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Protect assets, Security, Third parties, Value