Solutionary Minds - Your Information Security Blog Source

What are 10 Things that Should be at the Top of Everyone’s Wish list for the Holidays?

Overall, it has been a rough year for information security in the world. We ended 2010 with WikiLeaks, and it continued into 2011, supported by the disclosure to WikiLeaks of classified government material and confidential internal use only corporate information. This trend of intolerance with the system calmed through much of the summer only to resurrect itself in the form of the anti-establishment “Occupy” movement later in the year. While the Occupy movement is not itself a cyber-security worry, it does highlight that people have a considerable dissatisfaction with the status quo and are looking for change – and unmoderated change is usually not exactly good for the efficiency and security dynamics of any organization.

We’ve heard more about Stuxnet, and seen new viruses – I just picked off a copy of a Trojan Dropper last night, reading security news stories (an executable stored in Explorer temp files – cool). We’ve seen Apple systems exposed to attack. We’ve seen corrupt applets running on Android – I’m not quite ready to say I have seen Android hacks or viruses in the wild. I have seen rampant loss of control over the permissions requested by Android widgets on install (Google Maps, you really need access to my private phone information, read and write access to my contact information, along with the ability to make phone calls and record audio? Really? Update fail.) We’ve seen zero day vulnerabilities in widely used applications and services. We have seen literally millions of healthcare records breached. We have seen huge companies get breached, resulting in days and weeks of outages, and probably billions of dollars spent in recovery and rebuild. We found that an unauthorized user can access sensitive functions on an iPhone by using Siri. Should we be surprised that web-enabled printers can be attacked remotely? We have had drone hacks, ATM scammers, phone hacking and nude photos galore (so to speak). And that is just the tip of the iceberg. Sometimes it seems like the sky is falling.
Sometimes.

A friend of mine asked me a couple weeks ago, “So, with all these things going on, how do you do everything that you need to be safe?” That is a hard question. Everything?
A complete list of everything an organization should do to make itself safe would literally fill books. So, instead, if you want to take the right steps to being secure, and being compliant where appropriate, what are the 10 things that should be at the top of everyone’s wish list for the holidays?

What are the 10 things that should be at the top of every organization’s wish list for the holidays?

1. I wish for a complete BIA (Business Impact Analysis). You have to know what you have before you know how to protect it. I won’t dwell on this other than to say that if you answer these four questions and you are working on your BIA: a. What is your most critical data? b. What systems, databases, and applications support that data? c. What regulatory requirements am I required to d. What would the impact on your organization be if that data, or supporting systems, was lost or compromised (and released to the public)?

Read the rest of my Security Week article here.