Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Information Security Program Fundamentals

It is impressive yet not surprising companies of every size need to have a plan to ensure the security of its information assets. Such a method is called a security program, and as a consultant in this space for many years one of the most critical observations found is a lack of an effective one that is practiced and embraced throughout every level in an organization. The security program is the framework that will provide the desired security levels by assessing the risk, how to mitigate them and plan for keeping the program up to date.

The Lifeblood of Any Organization is Its Data!

On various engagements I have been on to investigate breaches going through the discovery phases interviewing key people, I hear them say, “George, we don’t have anything of value to protect, our department does not have so-called PII (personal identity information) or PHI (personal health information).” I then ask the department heads if they conduct employee evaluations as I suspect they routinely do, sure enough, they respond with a “yes”: and then I tell them to think again. To their astonishment, they unleash hordes of sensitive data that they felt they never had and of course part of the security program is awareness.

The principal asset that a security program protects is the data, and the value of any business is in its data. From a regulatory perspective, data protection is dictated by governmental and other regulations regardless if the organization if publically traded or privately owned. For instance, how to manage customer credit card data or employee social security numbers. Or from a legal perspective, how to handle confidential litigation memos and e-mails. If the data management practices are not already covered by regulations, consider the value of the following, and this goes into data classification.
  • Product information, including designs, plans, patent applications, source code, drawings and intellectual property.
  • Financial information, including market assessments and the company’s financial records that include payroll, forecasting, budgets, etc.
  • Customer information, including confidential information you hold on behalf of customers or clients, Internal telephone directory, travel itineraries, etc.
Data protection means protecting its confidentiality, integrity, and availability and without it, the results can be catastrophic.
  • Failure to protect the data’s confidentiality may result in the theft of customer credit card numbers, with legal consequences and a loss of goodwill. Lose your clients’ confidential information and experience losing current and future clientele. Consider the Target breach, TJ Maxx, and Neiman Marcus the list is endless.
  • A data integrity failure may result in malware being planted in your systems allowing an intruder to pass your corporate secrets on to your competitors or adversaries. If an integrity failure affects your financial records, you may no longer know your company’s actual economic status. Or how about litigation records outlining courtroom strategy or negotiation approach memorandums getting into an adversary’s hands. Consider the Heartland Payment Systems breach among several.

So What Are The Components of a Security Program?

The program must provide the significant picture oversight on how to keep the data secure. It must take a holistic approach that describes how every part of an organization is involved in the program.and not become procedural. For example, how to handle an incident handling event or doing periodic assessments. The security program defines what data is covered and what is not. It assesses the risks the organization faces, and how to plan on mitigation. It indicates how often the program will be re-evaluated and updated, and when you will assess compliance with the program. The critical components of a security program are as follows:

1. The CISO (Chief Information Security Officer) if you don’t have one get one!
For most security regulations and standards, having a CISO is not optional it’s a requirement. The CISO is the one responsible for coordinating and executing the security program. The officer is arguably one of the toughest positions owning up and being the main cog in securing an organization. The situation has a tremendous responsibility with high visibility, for the position carries accountability above other executives. Security in and of itself reaches every individual and operations in the organization. This person or role should report to someone outside of the IT organization to maintain independence. This is where most organizations fail in their executive reporting hierarchy.

2. The Risk Assessment
This component identifies and assesses the risks that the security program intends to manage. It is perhaps the most important because it defines the risks any organization faces so that an informed decision can be reached on appropriate, cost-benefit effective ways to manage them. Remember that we can only minimize, not eliminate risk, so this assessment will prioritize them by choosing cost-effective countermeasures. The chances that are covered in the evaluation may include one or more of the following:
  • Physical data loss caused by losing immediate access to the data for reasons ranging from natural disaster events (acts of God) to loss of electric power. Disaster Recovery and Business Continuity plans feed off of this in parallel. Other injuries such as access to the data for more subtle reasons: multiple disk failures, for example, a RAID array suffering two or more hard drive failures at intervals. Consider physical assets in third-party locations, co-location facilities that are not in the company’s control.
  • Unauthorized access to the data and client or customer data. Be careful about confidential information from clients or customers, companies are often contractually obliged to protect that data as if it were their own. Consider mobile devices and data in the cloud, what SLA agreements are in place that would meet or exceed the organization’s security program. What are the legal consequences if they are not in the event of a breach and what mitigation procedures can be employed.
  • Data interception in transit or in use includes information transmitted between company sites, or between the company and employees, partners, and contractors at home or other locations.
  • The data in someone else’s hand, cloud data in particular such as shared data with third parties, including contractors, partners, or the sales channel. What protects the data while it is in their hands is an important aspect.
  • Data corruption. Intentional corruption might modify data so that it favors an external party: Consider the malware on PCs. Unintentional bribery might be due to software or even hardware errors that overwrite valid data.

3. Policies and Procedures
If the risk assessment is not enough, there are more complexities, much more. The policies and procedures component is where the decision on what to do about it originates. Areas that the program must cover include the following:
  • Physical security documents define how to protect all three C-I-A aspects of your data from unauthorized physical access.
  • Authentication, authorization, and accountability establishes procedures for issuing and revoking accounts. It specifies how users authenticate, password creation, aging and complexity requirements in addition to an audit trail maintenance logs.
  • Security awareness makes sure that all users have a copy of your acceptable use policy and know their responsibilities; it also makes sure that IT employees are engaged in implementing IT specific policies.
  • Risk assessment states how often to reassess the potential threats to IT security and update the security program accordingly.
  • Incident response defines the response to security threats, including potential (such as unauthorized port scanning) and actual incidents (where security has been compromised).
  • Virus (malware) protection outlines how you protect against them. This might include maintaining PC based applications and scanning email, web content, and file transfers for malicious content.
  • Business continuity planning includes how you will respond to various man-made and natural disaster scenarios. This includes setting up appropriate backup sites, systems, and data, as well as keeping them up-to-date and ready to take over within the recovery time defined. It is essential the disaster recovery, and business continuity programs are integrated with the security program.
  • Relationships with vendors and partners define who these organizations are, what kind of data you might exchange with them, and what provisions must be in your contracts to protect the data. This is an often-overlooked aspect of data security because IT organization probably does not have interaction with your legal organization over vendor contracts, this is one of the critical vectors where legal information is breached. The need to take measures such as evaluating your partners’ ability to safeguard your data and insisting on having reasonable security practices in place. It includes obtaining the right to audit their security program and practices.
4. Organizational Security Awareness
The security community generally agrees that the weakest link in most organizations’ security is the human factor, not technology. And even though it is the weakest link, it is often overlooked in security programs, and I consider it an absolute must to have.
Every employee needs to be aware of his or her roles and responsibilities when it came to security. Even those who don’t even touch a computer in their daily work need to be involved because they could become a breach vector targeted by social-engineering attacks designed to compromise the physical and logical security. Everyone needs to have security awareness training, while those involved with IT systems need to have more role-specific training. The IT organization, which implements a continuous cycle of assessing, acquiring, and operating security-related hardware and software, needs even a higher level of involvement and held to a much higher standard, taking direction from security specialists and those hired as consultants.

5. Regulatory Standards Compliance
The organization may also need to comply with one or more standards defined by external parties. This component of the security plan determines what those standards are and how you will meet. Regulatory measures that might affect a wide range of regulatory laws such as HIPAA (for patient information), industry compliance mandates such as PCI (for credit card processing), FISMA (for governmental agencies and contractors, Sarbanes-Oxley, and Gramm-Leach- Bliley (for corporate financial management). Also, global companies must comply with other regulations within the foreign nation’s jurisdiction they have stored and transact data.

6. Audit Compliance Plan
This component dictates how often to audit IT security and assess its compliance with the security program. Periodic security assessments are essential for finding out whether security has already been breached. The audits prepare organizations to stay on top of new security threats with the right technology and staff training. It serves as a platform to make smart investments that prioritize and focus on the high-impact items. I also must stress to keep internal audit as an advocate, particularly at the board level stressing the need at the audit committee of an organization.

A security program is never done, not by a long shot. It is a living program that evolves to the never-ending threats. It must have a life cycle of its own that always re-assess the risks organizations all face. One thing to know about the security plan is it can be a small document or a very complex one depending on the volume and type of data assets to protect. It also must be made part of the corporate governance of the organization that is strictly enforced to be effective. Without the enactment as part of the management, the program will not adequately hold users at any level of accountability.