Social Icons

Friday, February 28, 2014

Dyman & Associates Risk Management Projects: What are you willing to pay?

Winter weather has taken its toll on both sides the US and Canadian border.  One utility that has taken it in the chops from all the ice and snow has been electric companies that provide services to businesses and individuals.  Now this wasn't the only time that there have been electrical outages due to severe weather.  Power outages have become rather routine when severe weather hits.  The question is, "How much mitigation do you want to invest in to reduce the impact of outages?"

The above is the theme from a Toronto Glob editorial, see the ice storm: Why you want the lights to go out, sometimes in the piece they call attention to the fact that you can't mitigate every risk.  The costs to do so would be too high.  Thus, the focus on risk management: Dyman & Associates Risk Management Projects: Cyber Security

"What is risk? You can look here; it is the odds of suffering a loss in the future. It is a cost. And what about the reduction or elimination of that risk? Also a cost. In deciding whether to pay the price, utilities – and all of us – end up having to weigh three factors: the size of the possible damage, the likelihood of its occurrence, and the price of mitigation."

Risk management will become a greater part of the discussion as we move forward and the warming climate starts to impact our communities in varying ways.  This will be a good discussion for communities to have.  One way to reduce risk is to disperse it in the entire community (whole community).  If individuals are better prepared than the costs for organizations can be lessened, and costs of single entity preparedness reduced. Check out the post right here…

Thursday, February 27, 2014

Dyman & Associates Risk Management Projects: Key to Successful Volunteer Program

The Federal Government’s plans to expand the work-for-the-dole scheme promise plenty of debate about volunteer rights and responsibilities. It’s timely to remember that investing in volunteers is not just about funding, but best practice, writes Ansvar Acting CEO Deirdre Blythe.

There’s no doubt volunteering can be a wonderful win-win – a hugely productive workforce for organizations, and for the individual the opportunity to contribute, socialize, and gain valuable skills. But in Australia today, organizations that engage volunteers can’t afford to be casual.

Whatever the shape of the final work-for-the-dole programed, I hope that we see an acknowledgement from all players that investing in risk management is critical to the success of any volunteer management program.

Risk management not only reduces potential liabilities and reputational harm, it also demonstrates the desire to create a safe environment and protect the wellbeing of volunteers, staff and service recipients.

Most people see goodwill and a gift of ‘free’ labor as central to volunteering, but engaging a volunteer is not always cost-free. Harmonized workplace health and safety laws introduced around the country show no distinction between volunteers and paid staff.

Both are now categorized as ‘workers’ and equal protection is required both within Australia and overseas, and anywhere that can be deemed a ‘workplace’ within the definitions of the Act.

We recently settled the claim of a retired electrician who fell from a ladder while sanding the wall of a building at a community working bee. The case demonstrated a graphic example of the importance of appropriate supervision of volunteers even in that otherwise described social setting. The case also demonstrated the importance of matching the skills of volunteers to the tasks to be performed. 

It’s recommended that all tasks that pose hazards should be carried out by trained staff or contracted professionals. Learn About Cyber Security

Even when volunteers are undertaking ‘non-hazardous’ tasks, we actively encourage the volunteer organizations we work with to protect themselves, their volunteers and the public by ensuring they provide:
  • Procedures, protocols and adequate job descriptions to enable a safe working environment. This includes detail about how the volunteer organization handles emergencies, grievances/harassment, personal information and privacy, health and safety.
  • Recruiting, interviewing and screening that are well managed, including reference and background checks.
  • Adequate Orientation. Familiarizing volunteers with the running of the organization, introducing them to managers and supervisors, providing an overview of risk management policies and procedures designed to prevent accident and injury and an up to date, relevant job description.
  • Training to give direction and skills to carry out assigned tasks. Training could be formal or informal, one-on-one or group sessions. Providing reference tools and guides is an important part of the training process. Volunteers should sign off on all training received.
  • Appreciation and recognition to help volunteer retention. Exit interviews help gain insights into the volunteer experience. All of this valuable knowledge may also help improve business practices, and save time and money over the long term.
Australia already has a proud community of over six million volunteers and growing. With the prospect of a new pool of people coming on board, it’s timely for everyone involved to remind ourselves that successful volunteer placements are the result of a little bit of luck and a lot of good management.

An informed, thoughtful, systematic risk management plan is fundamental to achieving the volunteer success stories we all love to applaud and celebrate.

Want More? Visit Our Website Dyman & Associates Risk Management Projects

Wednesday, February 26, 2014

Dyman & Associates Risk Management Projects on Most Innovative Product of 2014

Company Also Honored as Finalist in Hottest Company in Risk Management Category

SUNNYVALE, CALIF. — Agiliance®, Inc., the Big Data Risk Company™ and leading independent provider of integrated solutions for Operational and Security Risk programs, today announced that Cyber Defense Magazine (CDM) has named RiskVision™ Most Innovative Risk Management Product in its 2014 Most Innovative InfoSec Awards competition. The company was also named a Finalist in the Hottest Company in Risk Management category. CDM is the industry leading electronic information security magazine and media partner of the RSA Conference 2014.

“CDM’s recognition of RiskVision as the most innovative risk management product of the year and Agiliance as one of the hottest firms in the field further validates our innovative use of big data for operational and security risk management,” said Torsten George, vice president of worldwide marketing and products at Agiliance. “Since its inception, Agiliance has pioneered and brought to market advancements in technology that help customers simplify compliance complexities and hone their risk management practices, while cutting costs, optimizing business performance, and improving productivity.” You can check it here. Dyman & Associates Risk Management Projects

RiskVision can be leveraged for both Operational Risk Management and Security Risk Management, providing organizations an integrated view of risk by harmonizing multiple frameworks to marry top-down risk modeling for regulatory audit compliance with bottom-up controls automation for closed-loop threat, vulnerability, and incident remediation. In this context, RiskVision aggregates critical intelligence about risk and compliance postures with current, new, and emerging threat information to calculate impacts on business operations and prioritize remediation actions.

By leveraging Agiliance’s integrated solutions for Operational and Security programs, organizations can significantly reduce the time it takes to produce risk profiles; shorten the policy control process; involve all the subject matter experts via a centralized, standardized collaboration system; achieve tremendous overhead savings by automating risk assessment efforts; and increase credibility with management, regulators, and board of directors.

“We’re thrilled to recognize next-generation innovation in the information security marketplace and that’s why Agiliance has earned this award from Cyber Defense Magazine. Some of the best INFOSEC defenses come from these kinds of forward thinking players who think outside of the box,” said Pierluigi Paganini, editor-in-chief of Cyber Defense Magazine.

About Cyber Defense Magazine

Cyber Defense Magazine is the premier source of IT Security information. The magazine is managed and published by and for ethical, honest, passionate information security professionals. Its mission is to share cutting edge knowledge, real world stories, and awards on the best ideas, products, and services in the information technology industry. CDM delivers electronic magazines every month online for free and limited print editions exclusively for the RSA Conferences and paid subscribers. Learn more about Cyber Security at DAP

About Agiliance

Agiliance, the Big Data Risk Company, is the leading independent provider of integrated solutions for Operational and Security Risk programs. Agiliance is automating how Global 2000 companies and government agencies continuously monitor big data for risks across financial, operations, and IT domains to increase operational efficiency and orchestrate incident, threat, and vulnerability actions in real time. RiskVision customers demonstrate automation use cases within 30 days on-demand, and within 60 days on-premise, made possible by a configurable platform and applications, broad library of technology integrations, and vast domain and regulatory content. RiskVision scales with businesses, effectively managing assets, data, people, and processes to achieve 100 percent risk and compliance coverage. Its real-time risk analysis leads to optimized business performance and better investment decisions. For more information, please visit

Dyman & Associates Projects: Risk Management

This site Dyman & Associates Projects provides guidance and tools to help businesses understand what they need to do to assess and control risks in the workplace and comply with health and safety law. Although written with small businesses in mind, the site is relevant to all businesses.

Five steps to risk assessment
This is not the only way to do a risk assessment, there are other methods that work well, particularly for more complex risks and circumstances. However, we believe this method is the most straightforward for most organizations.

How to assess the risks in your workplace?

Follow the five steps in our leaflet:

Don’t over complicate the process. In many organizations, the risks are well known and the necessary control measures are easy to apply. You probably already know whether, for example, you have employees who move heavy loads and so could harm their backs, or where people are most likely to slip or trip. If so, check that you have taken reasonable precautions to avoid injury.

If you run a small organization and you are confident you understand what’s involved, you can do the assessment yourself. You don’t have to be a health and safety expert.

If you already have a health and safety policy, you may choose to simply complete the risk assessment part of the template. We also have a number of example risk assessments to show you what a risk assessment might look like. Choose the example closest to your own business and use it as a guide for completing the template, adapting it to meet the needs of your own business. [See this Cyber Security]

If you work in a larger organization, you could ask a health and safety adviser to help you. If you are not confident, get help from someone who is competent. In all cases, you should make sure that you involve your staff or their representatives in the process. They will have useful information about how the work is done that will make your assessment of the risk more thorough and effective. But remember, you are responsible for seeing that the assessment is carried out properly.

When thinking about your risk assessment, remember:

§  a hazard is anything that may cause harm, such as chemicals, electricity, working from ladders, an open drawer, etc.; and
§  the risk is the chance, high or low, that somebody could be harmed by these and other hazards, together with an indication of how serious the harm could be.

Dyman & Associates Risk Management Projects: How can you improve your internal controls?

A quick search of the internet will pull up tons of material on risk management and internal controls, to help you improve your business. All organizations, be they private sectors, not-for-profit or public sector bodies have to adhere to whichever set of governance codes they fall under. One example is the UK Corporate Governance Code that is published by the Financial Reporting Council for listed companies that either have to comply or explain why not. The Sept 2012 version includes code C.2.1 which states:

‘The board should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls.’

So, we have the codes and we have a good take-up, which means everything should be fine. But if you want to improve your risk management and internal controls, you will want to find out if your workforce needs any more training in this topic. I recently carried out a very informal experiment to see if I could spot any obvious room for improvement in the way business risk is being managed. One rainy winter evening, I scanned the Times Newspaper (16th January 2014) and extracted the following snippets of information:

§  Front page: Hundreds of teachers accused of sex crimes.

§  Police crime figures gave been stripped of the official quality assurance mark by the statistics office after recent claims they were fiddled.

§  US investigators interviewed staff at Citigroup in London as they stepped up an inquiry into alleged manipulation of foreign exchange markets.

§  News page 15: Staff at a care home tied a grandmother to a chair to stop her wandering, according to a report that said more than a quarter of families had claimed that relatives had suffered poor treatment in care homes or by careers in their own homes.

§  Page 18: The official regime of four-yearly inspections is failing to ensure the welfare of animals in Britain’s 300 zoos and animal parks, a study has found.

§  Page 21: Liberal democrat women reacted furiously last night after the party announced that it would be taking no further action against a peer accused of sexual harassment.

§  Page 23: In a ruling late on Friday night, which has received relatively little attention here, the appeals court in New Orleans ruled that the settlement reached by BP in 2012, hours before the trial over the disaster was due to start at the New Orleans district court, should stand – even if it meant that people and businesses who have suffered no loss due to the oil spill will benefit.

§  Page 28: Solid gold bathroom fittings, a fraudulent mausoleum and a vast subterranean cache of booze have brought down one of China’s most powerful generals and caused the People’s Liberation Army’s worst corruption scandal for years.

§  Page 30: Washington. The US military has suspended 34 officers in charge of launching nuclear missiles for cheating at a proficiency test.

§  Business page 36: On credit rating agencies. ‘The world has changed dramatically since the collapse of the US sub-prime market in 2008, which triggered the credit crunch. Jose Pocas Esteves, the ARC chief executive, said, ‘ARC and its five founding partners believe that the old methods and approaches are no longer sufficient for the post-Lehman financial sector landscape.’

§  Page 39: it has long been suspected that too many fund managers make too much from clients for doing too little. Now this theory is to be tested rigorously.

§  Law page 53: The RSPCA is one of the most popular charities in the UK… yet a key part of its activities (prosecutions) has seen its image tarnished. A series of cases has led to criticism that it is over zealous and politically or financially motivated….The charity has now announced a review of its prosecution work…

§  Sport page 58: Bernie Ecclestone, the Formula One chief executive, is expected to face formal charges over secret payments to a German banker, it was reported last night.

The problem is that risk is something that just won’t go away and no one is exempt. My sample is a quick look at one newspaper on one particular day. Regulators act as referees and to slightly misquote the late, great football manager, Bill Shankly:

‘The problem with referees is that they know all the rules but don’t always understand the game.’ Learn this here now.

We really need to get real since many employees ‘game’ their targets, their result and most of what they do at work to suit themselves. I can’t think of many people who put the needs of their employer above their own personal interests. Which means your improvements to risk management and internal control have to be set within the culture at work, to make any real sense. One way forward is to re-write the Corporate Governance Code to move away from an annual accountant-centric event that means very little to most people, to a more straightforward version. My suggested re-write of the code would be:

‘The board should establish a control strategy that is resilient in responding to the changing risk landscape and which ensures all employees retain key risks to acceptable levels through the design, implementation and review of sound controls. The control strategy should guard against fraud, waste, reckless behavior, excessive caution, short-termism and suboptimal results; and be subject to on-going review and disclosed to shareholders on an annual basis.’

In this way we would hope to see four things firmly in place in all organizations:
1)      A board that takes responsibility for the risk culture in their organization.

2)      Management and teams who understand their key risks and the difference between acceptable and unacceptable behavior.

3)      A suitable range of controls that help guard against fraud, waste, reckless behavior, excessive caution, short-termism and suboptimal results.

4)      A transparent review process that ensures the above is happening.

If these four things are happening the hope is that there will be fewer headlines that undermine all kinds of organizations, and which ultimately damage the reputation of global economies. I asked whether there is a need to train employees to improve the way they manage risk and sharpen their business controls. I feel the answer is; ‘yes there is’ – which is why Business Controls Training will continue to develop a range of standalone e-learning courses for

Sunday, February 23, 2014

Apps on Google Play Can Secretly Subscribe Users to Premium SMS Services

Traditional advice is to use the official app stores to avoid mobile malware – but a Spanish security firm has discovered four apps available via Google Play that scam their users into covertly subscribing to premium SMS services and stealing money through their phone bills.

Luis Corrons, technical Director of Panda Security's PandaLabs research arm, blogged about the discovery yesterday. His team had found four particular apps (on dieting, baking, exercise and hairstyling) that all use a similar process to scam their users. The basic methodology is to trick the user into accepting terms and conditions well beyond those expected.

Using the diet app as an example, Corrons shows that users are presented with an invitation to view one of the diets. Clicking 'Enter' pops up a small window that asks the user to accept the app's terms of service – but those terms are separated from the pop-up, greyed out, and in tiny, unreadable text. They actually grant the app permission to subscribe the device to an external service.

Of course, it's not as simple as that. Firstly, the app 'steals' the user's phone number from WhatsApp (a popular app that requires the user's number and is statistically quite likely to be installed). It then covertly subscribes the user to a premium SMS service, waits for the confirmatory request from the service, intercepts it and responds in the affirmative – all without any notification to the user. The user eventually gets presented with a bill 'hidden' in the mobile phone charge for a service he didn't know he was using.

This type of scam is a growing problem. "I know that lots of people only ever give their bill a cursory glance or don’t even bother looking if it stays under a certain amount. I manage all the bills in our house after I discovered my missus had being paying insurance and tech support on a phone she hadn’t used for 5 years," a PandaLabs spokesperson told Infosecurity.

"Whether the cyber criminals choose to use the app as often as possible to rack-up their income knowing they will get caught quickly or the under-the-radar method [small amounts from a lot of victims] where they will try to go unnoticed depends the criminal’s choice," Corrons told Infosecurity.

He did some quick arithmetic on a projected volume of anything up to 1.2 million downloads of the four apps. "They charge a lot of money for premium SMS services, if we make a conservative estimate of $20 charged by terminal, we are talking of a huge scam that could be somewhere between 6 and 24 million dollars!" And this, of course, is just for the four apps that he found.

These particular apps were found in the Spanish Google Play. They contravene Google's new terms and conditions for Play, which insist on a single purpose and clear terms. How Google intends to enforce those terms remains to be seen; but Corrons confirmed to Infosecurity that these four have now been removed from Play.

Thursday, February 20, 2014

Dyman & Associates Risk Management Projects: Feds Launch Cyber Security Guidelines For US Infrastructure Providers

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. Critics say these voluntary guidelines enshrine the status quo.

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. It's a catalog of industry best-practices and standards that creates a voluntary template for companies to use in developing better security programs.

The Framework for Improving Critical Infrastructure Cybersecurity "enables organizations -- regardless of size, degree of cybersecurity risk, or cybersecurity sophistication -- to apply the principles and best-practices of risk management to improving the security and resilience of critical infrastructure," the White House said in a statement.

Although the document was hailed by administration officials as a "major turning point" in cybersecurity, it contains little that is revolutionary or even new. The National Institute of Standards and Technology, working with the Homeland Security Department and industry stakeholders, has compiled a set of known, publicly vetted standards that can be applied to identify, protect from, detect, respond to, and recover from risks.

The framework is technology-neutral and does not specify tools or applications to be used. Choices of technology are left to the user in addressing each category of risk management.

The framework is built on three basic components:

-         Core. A set of common activities that should be used in all programs, providing a high-level view of risk management.
-         Profiles. These help each organization align cybersecurity activities with its own business requirements, and to evaluate current risk management activities and prioritize improvements.
-         Tiers. Tiers allow users to evaluate cybersecurity implementations and manage risk. Four tiers describe the rigor of risk management and how closely it is aligned with business requirements.

The framework is one leg of a three-pronged program set out in a presidential executive order on protecting privately-owned critical infrastructure, issued one year ago in response to Congress's failure to pass cybersecurity legislation. The second leg involves information sharing among companies and between the public and private sectors. The third leg attempts to address the protection of privacy and civil liberties. 

Privacy was a difficult area for stakeholders to come to a consensus on during the five public workshops and multiple iterations of the document. Some protections are incorporated in instructions for using the framework, but privacy was identified as an area that needs to be better addressed in future versions.

Although it would be difficult today for any attack to cause widespread, long-lasting damage to the nation's critical infrastructures, cyberattacks are becoming more effective. Demonstrated weaknesses in the IT systems that control and support the energy, transportation, financial services industries, and others leave them vulnerable to these attacks.

President Obama calls the latest cyber security framework "a turning point."
(Source: White House)
Although the framework is voluntary and will depend primarily on "enlightened self-interest" to drive its use, it is not entirely without teeth. Regulatory agencies are working to harmonize existing regulations with the document, and government procurement requirements are likely to include conformance to the framework for contractors and suppliers.

But one White House official said during a briefing, "The goal is not to expand regulation."

Other incentives for adoption are expected to include public recognition, cyber insurance and cost recovery programs, all of which can be implemented without legislation. Administration officials said they will ask Congress for additional authority as needed, for protections such as limitations on liability for companies adopting the framework. But given the slow pace of legislation in the current Congress the administration's goal is to convince companies operating critical infrastructure that using the framework would be a good business decision.

Drafters said the framework creates a shared vocabulary for discussing and describing cybersecurity that can be used by a broad range of companies in different industries to create and evaluate risk-management programs. Gaps in programs can be identified and plans tailored to meet the specific needs for each user.

Focus on resilience

In an effort to support adoption of the framework by the private sector, the Department of Homeland Security is also launching a voluntary Critical Infrastructure Cyber Community program. According to DHS Secretary Jeh Johnson, the program will provide a "single point of access" to the department's cybersecurity experts for anyone needing help or advice.

Although the program is just getting underway, one of its services, the Cyber Resilience Review, has already been widely used by industry. The review lets organizations assess their current programs and determine how well they are aligned with the practices and standards of the framework. More than 300 of the reviews have been carried out.

President Obama, in a prepared statement, called the framework a turning point, but added, "It's clear that much more work needs to be done," a sentiment shared by the document's supporters and detractors alike.

Bob Dix, VP of global government affairs and public policy for Juniper Networks, called it "a laudable first step," but said "there is more that government and industry must do together to address basic cyber hygiene as well as the most sophisticated and persistent threats to critical infrastructure."

Because the framework is based on existing practices and standards, it has been criticized as enshrining the status quo rather than advancing cybersecurity. NIST officials said it is a living document that will be regularly updated.

A preliminary draft of the framework laid out areas for improvement to be addressed in future versions. These include authentication, automated information sharing, assessing compliance with standards, workforce development, big data analytics, international impacts, privacy standards, and supply chain management.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Wednesday, February 19, 2014

Dyman & Associates Risk Management Projects: Cybersecurity Expert Offers Tips To Consumers

Hackers have become very sophisticated over the past few years. Not only the recent attack on Target was tremendous, but it was also rather unusual because hackers attacked the company through their point of sale equipment and not online.

Dr. Vijay Anand, assistant professor in the department of Engineering and Technology at Southeast Missouri State University, gave some advices on how consumers can protect themselves against cybercrime. He urges consumers to be more proactive regarding cybersecurity, even if it is always difficult to predict where an attack will occur.

“It is always a good idea to check back on your account in a timely manner. That’s the only recourse consumers have at this point, it’s to regularly check on their account,” Anand said.

As far as credit or debit cards are concerned, consumers should privilege banks who offer them cards with a chip in it, instead of only the usual magnetic strip. The chip has a microprocessor which has more security features and guarantees more secure transactions. It is better than the magnetic strip, according to Anand, because the active chip can prevent certain kinds of attacks.

Regarding the issue of identity theft, Anand suggests people to do pretty much the same as for bank account attacks.

“The only recourse that you have against identity theft is to check and monitor your credit report,” Anand said.

Individuals can also be more careful by not throwing away mail containing sensitive personal information. Individuals should shred potentially sensitive mail. Indeed, some attackers do dumpster diving which consists in going over somebody’s trash in search of useful information about that person. Also, Anand remind consumers that they should never answer an email asking to give away private information such as your social security number. If a bank or other entity needs it, they will not ask for it through email. Those are called phishing attacks and are incredibly common.

Concerning internet browsers, Anand said he would privilege Firefox and Google Chrome over other browsers as he considers those two more secure. But there are other ways to be careful when doing a transaction. He explained that people should make sure the web link contains the “https” prefix instead of the usual “http.”

“If it is https then it is a secure transaction, there is some authentification going on, so that is a secure connection that you have with a server. But if you have a basic http connection, it’s not secure.”

Anand insisted on this point, making clear that this small change can make a huge difference regarding to the security of the transaction.

“It the https sign is not there I would never put my username and password into that account because I have no idea whether it is a secure site or a non secure site,” Anand added.

It is difficult for small businesses to protect themselves because cybersecurity is expensive. What they can do, Anand advised, is to use platforms such as Google Pay or PayPal because they are trustworthy sites with a huge security capacity. To him, it’s definitely a better solution than any home built solution.

Hackers don’t really go after private individuals one at a time. It would take too long.

“What they typically do is that they will go and attack the database of a large corporation, which as information about millions of people, so that value is much higher,” Anand said.

So even if the targets are still primarily big corporations, one is never too careful and should follow some of those tips to make sure that their online transactions remain safe.

Tuesday, February 18, 2014

Dyman & Associates Risk Management Projects: Why Businesses Can’t Ignore US Cybersecurity Framework

Industry leaders and President Obama call the framework just a first step in creating a cybersecurity playbook for 16 US critical infrastructure sectors. But this is more than just a reference manual.

The Obama administration's new voluntary Cybersecurity Framework for critical infrastructure providers, announced Feb. 12, won't please everyone. But it does bring together for the first time a useful set of federally endorsed practices for private sector security. It also represents a welcome reprieve from the frosty government-industry relationship on matters of cybersecurity preparedness.

Industry leaders as well as President Obama were quick to acknowledge that the framework is just a first step in creating a cybersecurity playbook for the nation's 16 critical infrastructure sectors, including financial services, communications, and energy providers. It establishes an important precedent not only by defining common security standards, but also by offering carrots to the private sector rather than wielding a regulatory stick. The framework also serves notice to a gridlocked Congress that the White House can give traction to issues of national importance.

First, the framework has cred, as its recommendations come not from Washington regulators, but from industry experts who've combatted cyberattacks. In pulling together the framework, the National Institute of Standards and Technology went to great lengths to collect, distill, and incorporate feedback from security professionals. More than 3,000 individuals and organizations contributed to the framework.

Learn more about the Cybersecurity Framework.

The cybersecurity framework doesn't tell companies what to do or what tools to buy. But it does standardize the questions all CEOs should ask about their companies' security practices as well as those of their suppliers, partners, and customers. And it shows them what the answers ought to look like. The economic pain hackers caused to Target and its CEO, Gregg W. Steinhafel, may be incentive enough for other CEOs to adopt NIST's recommendations.

A third and even more powerful factor is the likelihood that even without legislation, the framework will become the de facto standard for private sector cybersecurity in the eyes of US lawyers and regulators. That's the view of Gerald Ferguson, who specializes in intellectual property and technology issues for law firm BakerHostetler, as expressed in a recent opinion column he wrote for InformationWeek.

Illustration of core functions and activities to support cybersecurity from NIST Framework for Improving Critical Infrastructure Cybersecurity 1.0

Fourth, the cybersecurity framework isn't just another set of NIST guidelines, but the outcome of President Obama's Executive Order on "Improving Critical Infrastructure Cybersecurity," which he announced in his 2013 State of the Union address.

"Cyber threats pose one of the gravest national security dangers that the United States faces," the president said earlier this week, a point reinforced in a new Defense News poll that found that nearly half of national security leaders think cyber warfare is bigger threat to the US than terrorism.

But not everyone thinks the president's cybersecurity framework provides the right set of standards or adequately addresses how to make networks resilient against inevitable attacks.

Gerald Cauley, CEO of the North American Electric Reliability Corp., which develops reliability standards for power companies, argues that NIST's framework could undermine existing -- and in some cases more advanced -- cybersecurity practices already in effect.

Monday, February 17, 2014

Dyman & Associates Risk Management Projects: Scam court email alert

The Business Crime Reduction Centre (BCRC) is warning people about a new email scam that threatens victims with court action.

Fraudsters have been sending out legitimate looking spoofed emails designed to trick recipients into installing malware.

The emails say you have been notified and scheduled to appear for a court hearing and contains specific dates, times, locations and reference numbers.

It asks you to download a copy of the “court notice” attached. The file actually contains an. exe file (a file that executes when clicked) containing a virus.

The email has no connection to the Criminal Justice System and anyone receiving the email should not download any attachments or click any links. Report to Action Fraud by using the online fraud reporting tool.

You are likely to see some variations of this email, as it is easy for fraudsters to amend the details and continue targeting people.

BCRC’s cyber security specialist said “the email is difficult to block as the subject headers change frequently.”

He also said: “Provoking a paniked, impulse reaction has become a very common scam technique for cyber criminals. Opening the attachment allows the criminal to spy on the victim, use their computer to commit crime, or steal personal and financial information.”

Sunday, February 16, 2014

Dyman & Associates Risk Management Projects: Target’s Cyber Security Staff Raised Concerns in Months Before Breach

Target Corp.’s computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.

At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off, the people said. The move followed memos distributed last spring and summer by the federal government and private research firms on the emergence of new types of malicious computer code targeting payment terminals, a former employee said.

The suggested review also came as Target was updating those payment terminals, a process that can open security risks because analysts would have had less time to find holes in the new system, the employee said. It also came at a difficult time—ahead of the carefully planned and highly competitive Black Friday weekend that would kick off the holiday shopping period.

It wasn’t clear whether Target did the requested review before the attack that ran between Nov. 27 and Dec. 18. The nature of the feared security holes wasn’t immediately clear, either, or whether they allowed the hackers to penetrate the system.

The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cyber security intelligence team, which sees numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings, the former employee said.

Target declined to confirm or comment on the warning.

The breach has caused headaches for Target customers who have dealt with fraudulent charges and have had millions of credit and debit cards replaced by issuers. Investigators and card issuers haven’t quantified damages from the attack.