Category Archives: Security

Hire the bad guys

Someone breaches your security perimeter and hacks your product.  Relax, it was only a job interview.

“GM Hires Famed Jeep Hackers,” The Wall Street Journal, August 1, 2017 B5.  The people who that successfully hacked a moving Jeep have been hired by GM to advise on cybersecurity.

I guess it’s better to have them inside the tent rather than outside.  But it’s only a guess.

Leave a comment

Filed under Access, Controls, Internal controls, IT, Security, Third parties

Going to the movies

Sony was not alone.  HBO gets hacked, too, and Netflix.  Is nothing sacred?

“Hackers Stole HBO Programming,” The Wall Street Journal, August 1, 2017 B2.  Game of Thrones may be coming sooner than planned.    Hacker also got personal information on at least one executive.

How well is your information protected?  What’s that protection worth?

Leave a comment

Filed under Access, Controls, Governance, Information, Internal controls, IT, Management, Protect, Protect assets, Protect information assets, Security, Value

The grip on your information

“Apple Eases Its Grip in Chinese Data,” The Wall Street Journal, July 13, 2017 B3.  “To comply with tough new cybersecurity rules, Apple will begin storing all cloud data for its Chinese customers with a government owned company [in China] ….”  Apple “will retain control over encryption keys.”  That makes me much more comfortable.

It might appear that China is exerting its grip on the data stored by Chinese customers on iCloud.  But whose data is it, anyway?  And what if other countries take similar steps with their citizens’ data?  Any opportunity for mischief?

Leave a comment

Filed under Access, Controls, Information, Internal controls, IT, Ownership, Privacy, Security, Third parties

Ransomware Week

“Faux Ransomware Does Damage,” The Wall Street Journal, June 30, 2017 B3.  Motive for recent attacks was not blackmail, but just disruption.  The files that were attacked may not be recoverable.  “Malware Leaves Big Law Firm Hobbled,” The Wall Street Journal, June 30, 2017 B3.  DLA Piper shuts down after its computer systems hit.  “Hospital Is Forced To Scrap Computers,” The Wall Street Journal, June 30, 2017 B3. West Virginia hospital tosses its entire computer network after cyberattack.

Have the Visigoths gathered at the gate?  If we can’t protect our computers and the information they contain and send, does our civilization survive?  Is IT now more important that all the other functions?

Leave a comment

Filed under Access, Business Case, Business Continuity, Controls, Information, Interconnections, IT, Operations, Risk, Security, Value

Cyberattacks, revisited

It’s Groundhog Day.  Or becoming a dog-bites-man story.

“Cyberattack’s Fallout Fuels Scramble,” The Wall Street Journal, June 29, 2017 B3. A ransomware attack through Microsoft Windows hits Maersk, Merck, WPP, and Rosneft, among others.  Surgeries disrupted at a Pennsylvania hospital.  “Hospital Operator In Pennsylvania Works to Recover,” The Wall Street Journal, June 29, 2017 B3.

Does this become so routine we forget people are supposed to take steps to prevent it?  Do cyberattacks make the board agenda, without the tie to the greater information governance questions?  Is that progress?  Does industry not see the bigger risk?

 

Leave a comment

Filed under Access, Controls, Duty of Care, Governance, Information, Interconnections, Internal controls, IT, Oversight, Protect assets, Security, Third parties, Value

Who checks the checkers?

Compliance with law and compliance with policy and procedure are relatively easy to establish.  But compliance with ethics?

“Journal Reporter Fired Over Ethics,” The Wall Street Journal, June 22, 2017 A2.  A foreign affairs reporter at The Wall Street Journal was fired for something related to “his dealings with an aviation tycoon whom he had cultivated as a source.”  Further details weren’t provided.  It may have been the offer from the tycoon of a share in one of his companies.  Perhaps he wasn’t totally honest with the paper about something (but we don’t know what, yet).  A violation of journalistic ethics?

All this may have been revealed following a hack of email or text messages, or both.

Seems a bit squishy without more details as to what were the ethics and what was the violation.  Were I a reporter for the paper, I’d be curious what the lines were and how were they crossed.  This perhaps goes beyond the common stricture of “Don’t lie, cheat, or steal.”

Were this a corporate exec or a governmental official, would we get more detail?  Who checks the checkers?

Leave a comment

Filed under Compliance, Controls, Culture, Duty, Employees, Governance, Internal controls, IT, Oversight, Security

Contractors and the Cloud

Do you have contractors who analyze your data for you?  Do they use cloud storage?  Do you know?  How secure it that?  Is that prohibited by your service contract?

“Data on 198 Million Votes Exposed Online,” The Wall Street Journal, June 20, 2017 A4. Deep Root Analytics, a Republican party consultant, used an online storage system that was reportedly open to the world for several days.  Most/some of the information exposed was publicly available information on voters.  A lot of voters.

Well, at least the Russians (or the DNC) didn’t hack it.  Or did they?

What controls do you have that protect information your consultants are using and the opinions you are paying them to provide you?  Do you care?  It’s not like it’s money or anything.

Leave a comment

Filed under Access, Board, Controls, Corporation, Duty, Governance, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Security, Third parties, Vendors