Monthly Archives: April 2018

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.


KWA UFUPI: Wakuu wa vitengo vya TEHAMA wamekutana kujadili changamoto na namna nzuri ya kuzitatua changamoto hizo katika vikao vilivyo kamilika Nchini Kenya.

Watunga sera na sheria mbali mbali wamekua wakifanya maamuzi ya TEHAMA bila kushirikisha wadau wa TEHAMA – Hii imekua moja ya changamoto inayo leta mkinzano wa utendaji wenye manufaa kwa wana TEHAMA maeneo mengi barani Afrika.

Mjadala ulioangazia umuhimu wa udhibiti na uangalizi wa watendaji katika sekta ya TEHAMA umeonekana kua mzuri ila umegubikwa na changamoto kadhaa kutokana na ushirikishwaji mdogo wa wadau ili kuweza kuleta mabadiliko kwenye sekta husika.

Mjadala huu umejadiliwa kufuatia kuwepo kwa sera mpya nchini Kenya itakayo rasimisha Wana TEHAMA na kuwataka watambulike kabla ya kuweza kuhudumu maeneo mbali mbali. Hili litafanana na tulicho nacho nchini Tanzania kwa wanasheria pamoja na wataalam wa maeneo mengine kadhaa.

Kinachotegemewa katika urasimishaji wa sekta ya TEHAMA na kumfanya mwana TEHAMA atambulike na kuhudumia katika sekta ya TEHAMA ni pamoja na  kupitia hatua kuu tatu ambazo ni, Kusomea – Usaili – Kupatiwa leseni ya kutoa huduma katika sekta husika.

Changamoto iliyo onekana ni pamoja na uwezekano wa kuua vipaji vya wabunifu wa TEHAMA ambao wamekua wakija na ubunifu wenye manufaa pasi na kua na ujuzi rasmi katika sekta husika.

Tumeshudia kuwepo kwa vijana walio somea fani nyingine tofauti na TEHAMA ila baadae kuja na Mifumo mizuri ya Kitehama iliyoweza kutatua changamoto mbali mbali katika maeneo yetu tofauti na wengine waliosomea fani husika na kushindwa kuwa wabunifu wa kuleta mabadiliko katika jamii zetu.

Kuna baadhi ya Mifumo tuko nayo maeneo mengi ambayo wabunifu wake hawakua na elimu ramsi katika sekta ya TEHAMA. Aidha, Swali kuu matumizi ya TEHAMA ya mekua kuna ulazima mhusika kua na elimu rasmi? Ilhali kila sekta inategemea TEHAMA na kuna uwezekano kila mwenye ujuzi wa fani yoyote akawa na uwezo wa kufanya vizuri kwenye mifumo ya TEHAMA.

GDPR (General Data Protection Regulations) Nchi za umoja wa ulaya wana mategemeo ya kuanza rasmi matumizi ya GDPR mwishoni mwa mwezi wa tano mwaka huu wa 2018 – Lengo kuu ni kulinda faragha za raia wake.

Hatua hii inaweza kuathiri maeneo mengi duniani Afrika ikiwemo kwani tumeendelea kufanya biashara na kuhudumia mataifa ya umoja wa ulaya ambapo inahusisha taarifa za wana jumuia ya ulaya kupatikana kwetu.

Mjadala mzito wa nini tutegemee pale umoja wa Ulaya watakapo anza rasmi matumizi ya GDPR katika taasisi zetu hususan za kifedha. Namna bora ya kuweza kulinda (faragha) za watumiaji mifumo ya kitehama katika taasisi zetu ili kuondokana na tunachoweza kukabiliana nacho baada ya kuanza rasmi matumizi ya GDPR barani ulaya.

CSIRT (Computer Security Incidence Response Team) – Tumekua na changamoto ya uwepo wa vitengo mahususi vya kukabiliana na matukio ya kihalifu mtandao katika taasisi na kampuni mbali mbali. Hili linatokana na uelewa mdogo juu ya umuhimu wa vitengo hivi mahsusi vyenye jukumu la kukabiliana na uhalifu mtandao.

Umuhimu wa CSIRT, namna ya kuanzisha na majukumu yake katika kila kampuni na taasisi ni mjadala nilio uongoza kuhakiki kila mmoja anafahamu hili.

Matukio ya kihalifu mtandao katika mataifa yetu yanayopelekea upotevu wa Fedha, upotevu wa taarifa, udukuzi wa mifumo na kadhalika yamekua yakijitokeza mara kwa mara yanayo acha athari kubwa kwa taasisi za serikali na binafsi maeneo mengi duniani.

Ni wajibu wa kila taasisi na kampuni kujua ina jukumu la kujilinda dhidi ya uhalifu mtandao na namna pekee ya kufikia hapo ni pamoja na kua na kitengo wahususi chenye jukumu la ulinzi mtandao pekee ambapo kitengo husika kitaweza kuhakiki usalama mtandao unakuwepo.

Aidha, kumekua na mijadala mingine mingi sana ambayo yote ilikua na lengo la kuhakiki tuna tambua namna sahihi ya kukabiliana na changamoto nyingi zinazotokana na uwepo matumizi makubwa ya mifumo ya TEHAMA yanayo rahisisha utendaji kazi katika taasisi na kampuni mbali mbali.


IN BREAF: Morocco will be hosting this year CyFy Africa where experts and practitioners from around the globe expected to discuss the future the technology holds for the Continent. CyFy Africa comes at a time when the world’s attention is centered on Africa’s rise towards becoming the next digital superpower.

Cyber Security and Global Stability, Data Security ,Securing the Future of Africa’s Mobile Market, A Normative Framework for African Cyberspace: Lessons from the AU Convention on Cybersecurity and Personal Data Protection (AUCC) are among the key agenda that will be discussed during this year event.

Other agenda are Human Rights in the Digital Age, The Future of Entertainment, Online youth investment: Successes, opportunities and challenges and Internet CapacityBuilding for Development 

I expect to join other cybersecurity expert and practitioners to address delegates during CyFy Africa 2018 event.
NEWS UPDATES: The JUTA Cyber Crime and Cyber Security Bill Pocket Book will be launched during the Lex-Informatica Annual SA Cyber Law & ICT conference 2018 in Johannesburg south Africa – The theme of the event is “Cyber Law in ICT Review”.
I’ll be joining other experts to discuss and enlightening delegates on keys issues people are facing in the world through topics like Cyber Crime, Cyber Security, Digital Forensics, Data Breach, Data Protection, Social Media Law, POPIA to mention a few.

In a few short years, African nations have already made the leap from responsive adaptation of imported technology to pioneering innovation across a host of digital service sectors such as finance, agriculture, education, and health.

The ascent of the ‘Silicon Savannah’ is evident from the emergence of hundreds of innovation hubs, technology related enterprises, and the heavy infusion of venture capital across the continent.

As the experience with the African Union Convention on Cybersecurity and Data Protection shows, the African Union (AU) allows the continent to put forth an African proposition on the digital space. Additionally, the continent has made great strides towards digital integration with the advent of the One Area Network initiative. The massive rollout of fibreoptic cables across the length and breadth of the region has catalysed the creation of scores of young tech entrepreneurs, who are eager to reap digital dividends.

Indeed, it is only a matter of time before the world’s most important innovations flow out of Africa. Structured around the broad themes of connectivity, digital inclusion, security, innovation and trade.


KWA UFUPI: TaskRabbit imekua muhanga wa uhalifu mtandao – IKEA, Imethibitisha. Hii ni katika muendelezo wa Programu tumishi (Applications) na huduma zingine za kimtandao kuingiliwa na wahalifu mtandao ambapo taarifa za watu zimejikuta katika mikono isiyo salama.
TaskRabbit iliyo anzishwa mwaka 2008 na Bi. Leah Busque iliyokua na madhumuni ya kutoa ajira zisizo rasmi kwa watu ambapo ilinunuliwa na IKEA mwaka 2017. Imekua ikitoa huduma zake kwa kujitegemea ndani ya mjumuiko wa makampuni ya nayo milikiwa na IKEA.

Program tumishi hiyo imekua ikitumiwa Zaidi na Raia wa Uingereza na maeneo mengine kujitafutia ajira zizizo rasmi kama kazi za ndani, kazi za bustani na nyinginezo ambapo wateja wa program tumishi hiyo na huduma za kimtandao zinazo shabiana na program tumishi hiyo imekua ikikusanya taarifa za watafuta ajira na wanao tafuta wakuwafanyia kazi hizo.

Mjadala wa wanausalama mtandao umeeleza taarifa binafsi nyingi za wateja zimekua zikikusanywa na sasa zimeingia mikononi mwa wahalifu mtandao. Prorgram tumishi pamoja na tovuti zimefungwa kwa muda kufuatia tukio hili.

Kamishna wa mawasiliano wa uingereza aamekiri kua na taarifa juu ya tukio hilo na ameeleza wanalifatilia kwa karibu. Aidha, TaskRabbit hadi sasa imekaidi kutoa ufafanuzi wa uhalisia wa tukio husika huku ikikadiriwa udukuzi umeathiri kwa kiasi kikubwa na huwenda umedumu kwa muda.

Kampuni imeeleza inafanya uchunguzi wa kina kufuatia tukio hilo huku ikewataka wateja wake kubadili maneno siri (Nywila) na kuahidi kutoa taarifa zaidi baada ya uchunguzi kukamilika juu ya athari Zaidi sanjari na kuwahakikishia wateja wake walioshindwa kufanya kazi zao kutokana na hitlafu zilizopelekea kufungwa kwa muda kwa huduma watapatiwa fidia.


WAMILIKI WA PROGRAM TUMISHI: Kumekua na msisitizo mkubwa kwa wanaotoa huduma za mitandao ikiwa ni pamoja na program tumishi kutakiwa kuhaki wanajipanga kulinda taarifa za wateja wao kabla ya kuanza kutoa huduma.

Aidha, Kutokana na wimbi kubwa la wahalifu mtandao kuingiza tarikishi zisizo salama kwenye program tumishi bila ya wamiliki kua na ufahamu – Tumetoa muongozo mpya wa kuhakiki wamiliki wanalinda wateja/ watumiaji na endapo itatokea wahalifu mtandao wakadhuru wakuwajibishwa awe ni mmiliki.

Itakumbukwa tukio la Uber ambapo mamilioni ya taarifa za watumiaji wa program tumishi hiyo maarufu kwa kutafutia watu usafiri ilijikuta matatani baada ya kutoa mwanya wa wahalifu mtandao kuingiza tarikishi zisizo salama zilizo pelekea mamilioni ya Taarifa kuingia mikononi mwa wahalifu mtandao.

WATUMIAJI WA PROGRAM TUMISHI: Awali ya yote kila mtumiaji wa program tumishi yoyote anatakiwa kutambua anajukumu la kutambua faragha yake inalindwa vipi na program tumishi husika.

Kumekua na nahatua mbali mbali ambazo tumekua tukizichukua kuhaki taarifa binafsi za watu zinakua salama lakini pia ni jukumu la mtumiaji kufuata maelekezo tunayo yatoa.

-         Kabla ya kupakua na kuijumuisha program tumishi katika simu yako, mahitaji yanakuwepo? Na ulazima wakua nayo unakuwepo?
-         Unaifahamu vizuri progam tumishi uitumiayo? Hususan inachochukua kutoka kwako kabla ya kukupatia huduma?
-         Unatoa ruhusa wa taarifa chache pekee kuenda kwenye program tumishi au unaipatia taarifa nyingi zaidi zinazo hatarisha faragha yako?
-         Unatumia Nyila madhubuti na kibadilisha mara kwa mara kujilinda binafsi?

Pamoja na jitihada kubwa ambazo tumeendelea kuzichukua – Changamoto kubwa imekua watumiaji wamekua na uelewa mdogo wa namna ya kujilinda binafsi inayo pelekea matukio ya faragha za watu kuingia mashakani kutokana na kuendelea kukua kwa uhalifu mtandao maeneo mengi duniani.

M-Trends 2018

What have incident responders observed and learned from cyber attacks in 2017? Just as in prior years, we have continued to see the cyber security threat landscape evolve. Over the past twelve months we have observed a number of new trends and changes to attacks, but we have also seen how certain trends and predictions from the past have been confirmed or even reconfirmed.

Our 9th edition of M-Trends draws upon the findings of one year of incident response investigations across the globe. This data provides us with insights into the evolution of nation-state sponsored threat actors, new threat groups, and new trends and attacker techniques we have observed during our investigations. We also compare this data to past observations from prior M-Trends reports and continue our tradition of reporting on key metrics and their development over time.

Some of the topics we cover in the 2018 M-Trends report include:

  • How the global median time from compromise to internal discovery has dropped from 80 days in 2016 to 57.5 in 2017.
  • The increase of attacks originating from threat actors sponsored by Iran.
  • Metrics about attacks that have retargeted or even recompromised prior victim organizations, a topic we previously discussed in our 2013 edition of M-Trends.
  • The widening cyber security skills gap and the rising demand for skilled personnel capable of meeting the challenges posed by today’s more sophisticated threat actors.
  • Frequently observed areas of weaknesses in security programs and their relation to security incidents.
  • Observations and lessons we have learned from our red teaming exercises about the effectiveness and gaps of common security controls.

By sharing this report with the security community, we continue our tradition of providing security professionals with insights and knowledge gained from recent breaches. We hope that you find this report useful in your work to strengthen your security posture and defend against the ever evolving threats.

Will the U.S. Adopt Similar GDPR Privacy Concerns?

Recently, the U.S. Federal Trade Commission (FTC) is investigating whether Facebook, Inc. used personal data by an analytics firm associated with the Trump campaign.  Specifically, the FTC is trying to determine if the company violated terms of an earlier consent decree when 50 million users’ data was transferred to  Cambridge Analytica, a data and media consultancy firm.  To date, Cambridge Analytica has been accused of misrepresenting the purpose of some of its data mining, which yielded something like 30 million Facebook profiles it could comb for data.  This calls into question how consumer information is shared with other entities, particularly when consent was not provided.


Social Media & GDPR


This revelation has called into question how social media sights harvest the personal information from their platforms.  As one article pointed out, “Some large-scale data harvesting and social manipulation is okay until the election. Some of it becomes not okay in retrospect.”  This is indeed troubling in a time when personal information is constantly used by malicious actors for monetization purposes or used in support of the conduct of other operations (e.g., social engineering, spam, phishing, credential theft, etc.).  A recent report by a content marketing agency revealed that Facebook logins can be sold for USD $5.20.  Such access provides a criminal to a compromised individual’s contact list to target other individuals.  According to the same report, an individual’s entire online identity – to include personal identifiable information and financial accounts – could be sold for USD $1,200.00.  After initially denying the claim, Facebook acknowledged the breach and promised to take action.


It should be noted that this is not the first time a politician’s campaign has leveraged social media data to understand the electorate.  According to one source, in 2012, the Obama campaign encouraged supporters to download an Obama 2012 Facebook app that, when activated, let the campaign collect Facebook data both on users and their friends.  What’s more, per the article, the campaign could deliver carefully targeted campaign messages disguised as messages from friends to millions of Facebook users.  While there is a difference between how the apps were delivered (the users that downloaded the Cambridge Analytica app were informed that the information would be use for academic purposes), the intent and purpose were the same.


The aftermath of this discovery calls into question whether or not the United States to adopt similar protection and privacy rights afforded to European citizens under the General Data Protection Regulation (GDPR).  Under the new law set to go into effect May 2018, citizens are empowered to have significant control on how organizations use, process, and store their information.  Additionally, the GDPR enables individuals the right “to be forgotten” – a measure by which any individual can request an organization to delete or remove their data from their systems, with exception in specific instances such as healthcare information.  The GDPR forces organizations to comply or else not do business, an approach that puts consumers above the organizations that they patron.


GDPR Compliance in the US


The United States needs to enforce similar mandates, as well.  For too long have individuals’ information and data been shared or sold to other entities seeking to target them with advertisements, physical and digital junk mail, and unsolicited phone calls.  Such information in the wrong hands serves criminals, as well as unsavory companies willing to sell their own services to the highest bidder.  This is a practice that must stop in an effort to curb data breaches that continue to expose millions and millions of records and needlessly expose people to the types of influence and persuasion that has been observed in our election system.


All U.S. organizations – especially the multitude of social media platforms that are used by the global community – need to protect the data of its consumers or risk suffering severe economic repercussions.  The mandatory implementation of security standards (e.g., those that the National Institute of Technology and Standards develop) that can be supervised by a government body like the FTC needs to be in place to ensure that the procedures are in place, as well as the appropriate consequences, to hold these parties responsible for failure to comply.  We can’t expect organizations – no matter how much they say otherwise – to do the right thing.  They must be shown what that is, how to do it, and ultimately be held accountable to the fullest extent of the law.


This is a guest post written by Emilio Iasiello

The post Will the U.S. Adopt Similar GDPR Privacy Concerns? appeared first on