Creating Her Own Cybersecurity Path: From JD to FBI to CISSP

My career in cybersecurity was not mapped out. I earned my bachelor of science degree in business administration, with a concentration in information systems from Xavier University, but one thing was for sure: I did not want to be a coder. I found that as I pursued my education, different opportunities in a variety of fields opened themselves up to me. Next, I decided to pursue my law degree – I earned my J.D. from Texas Southern University – and while I was in law school, the FBI came in to recruit. I was intrigued; so after practicing law for a short period of time in Washington, D.C., I began working as a special agent for the FBI, and in addition, served as the information systems security officer for the Los Angeles Field Division.

Upon leaving the FBI, I looked around at the skills I had obtained – from IT to legal to investigating cybercrime – and believed that a career in information security was the right fit for me. I thought that obtaining the Certified Information Systems Security Professional (CISSP®) certification would help me validate what I knew based on my experience, as well as add credibility to me as a professional when I transitioned from government service into the private sector.

Having my CISSP has helped open doors for me as it is looked upon as one of the highest industry certifications you can obtain. It validates that an experienced cybersecurity professional is working from a standard of common knowledge. The CISSP also helps to set the foundation for consistency in the industry.

Along with having my certification, one of the best things about being a member of (ISC)² is the special programs they provide. Early on after obtaining my CISSP, I signed up and delivered several Safe and Secure Online® presentations in my community. I had the opportunity to speak with school-age children, Girl Scout organizations and parents about the challenges faced by children online. Being able to speak to children about cyber dangers, as well as their parents, regarding what to look out for, was one of the most rewarding experiences in my career.

Luckily, I followed my mother’s advice and got an education. Because of that, I’ve had the pleasure of experiencing so many wonderful career highlights: Being a licensed attorney, an FBI special agent, a business owner, a college instructor and now an executive – these achievements make me take a deep exhale when I think about it. I am one of those people who always has some type of goal for myself – both professionally and personally. I believe that if you are not striving for success in life, you miss out on the opportunity to be the best version of yourself. Of course, I have specific goals to become a chief information security officer, hold board membership positions and more; but essentially, my goals all come down to using my knowledge and experience to help move the needle forward in cybersecurity.

I was once told that when you feel passionate about something, you have to get involved to effectuate change. As an African American woman, I believe that it is part of my responsibility, as I obtain success, to be visible and to inspire others. This is what led to my involvement with the International Consortium of Minority Cybersecurity Professionals (ICMCP). As a single mother and an executive, I have limited time. However, I believe in the mission of the ICMCP – to find ways to bring more women and minorities into the field of cybersecurity. The organization also provides support to those already in the field, because historically, women and minorities tend to leave cybersecurity careers early. We have a severe shortage of talent in cybersecurity for various reasons. Part of the ICMCP’s mission is to attract talent from a multitude of areas – both from traditional and nontraditional disciplines – so that we can bring more talent into the pipeline.

Personally, I believe that we need diverse talent. This isn’t limited to sex, race or cultural diversity, but diversity in thoughts, actions, problem-solving skills and leadership abilities as well. This will take us much further in our “secure the world” directive.

Mary Chaney, Esq., CISSP is the director of worldwide information security at Johnson & Johnson and co-chair of the fundraising committee for the International Consortium of Minority Cybersecurity Professionals (ICMCP).

(ISC)² Management

[(ISC)² Blog]

Conventional AV Systems Can Actually Harm You

There’s barely a day goes by when I’m not reading another batch of stories about how unsuitable conventional endpoint AV security is for dealing with modern malware, APTs, zero-day threats and so forth.

So replete are these tales of woe that it’s almost possible to switch off from the basic fact that in this uber-connected, cloud-enabled, everything-as-a-service, internet-of-thingamajigs world, most conventional endpoint AV systems are impotent and probably do more harm than good. I write almost, but not quite, because every now and again the occasional story jumps off the screen and gives you that all important wake-up call.

One such story that came to light a few weeks ago, centered around an Adverse Event Reportpublished by the U.S. Food and Drug Administration (FDA). Wherein, a patient (not named), undergoing a cardiac catheterisation procedure at a US Hospital (also not named) had to be sedated, mid-operation, for five minutes, while the procedure was suspended following the system crash of a vital piece of monitoring equipment.

The system in question monitors, measures and records patient data during cardiac catheterization procedures. The system is made up of a patient data module, used to capture the patient’s vitals, and a hemo monitor PC to display them. The two elements are connected via a serial interface.

During this particular procedure the monitor PC lost communication with the patient data module resulting in a black screen on the monitor and the patient having to be sedated while the system was rebooted. As the FDA report describes, the cause of this blackout was attributed to the installed conventional AV software, which at a critical point in the procedure initiated a scan of the system.

Although the system could be rebooted and the patient fortunately survived it got me thinking about the real-life harm a conventional AV could do to me. Quoting from the Manufacturers Narrative in the FDA Report, “Our experience has shown that improper configuration of anti-virus software can have adverse effects including downtime and clinically unusable performance.” So, although I may be sensationalizing the FDA’s paragraph a little, I’m not feeling that confident after reading the manufacturer’s narrative. Let’s face it: the team performing a standard cardiac catheterisation procedure is not likely to include an IT security engineer who can be called upon at a moment’s notice.

Could this scenario have been avoided with an Advanced Endpoint Protection system? The answer is probably yes. Traps, our advanced endpoint protection product, is not a conventional AV system — indeed, it’s a paradigm shift from “the way things used to be done.” Traps secures endpoints by preventing known and unknown malware and exploits from executing by focusing on blocking the few, core techniques used by attackers rather than application-specific characteristics. Furthermore, It does this in a lightweight, nonintrusive agent that definitely does not rely on system scanning.

Learn more:

[Palo Alto Networks Research Center]

Leaky End Users Star in DBIR 2016

Insider threat once again tops the list of enterprise cyber security threats in the 2016 Verizon Data Breach Investigations Report (DBIR). For the second straight year, Verizon research showed that the average enterprise is less likely to have its data stolen than to have an end user give away sensitive credentials and data—whether unintentionally or maliciously.

From insecure storage, transfer or disposal of sensitive information, to lost or stolen endpoint devices, to intentional data theft and privilege abuse, to simply entering the wrong recipient name in the email address field, the vast majority of breaches can be traced back to end users. “Our findings boil down to one common theme,” said Verizon Enterprise Solutions Executive Director of Global Services Bryan Sartin, “the human element.”

Overall, 2015 trends persist in 2016
The 2016 DBIR pulls trends and insights from more than 100,000 incidents—and 3,141 confirmed data breaches—across 82 countries. Is there anything groundbreaking in this year’s DBIR? Nope. Verizon reports “no drastic shifts” and no “show-stopping talking point.” For the most part, last year’s trends and patterns continued. But to “strike a deceased equine” (as Verizon put it), these persistent trends bear reviewing.

Phishing still works—end users are more likely than ever to click the link
The 2016 DBIR found hackers increasingly targeting devices and people instead of servers and networks, with phishing attacks growing from less than 10 percent of all attacks in 2009 to more than 20 percent in 2015. Why? Because people are more likely than ever to “click the link.” Verizon says 12 percent of people tested will click on a phishing attachment—up from 11 percent in 2014. Also of note: the same study found only three percent of users that receive a phishing email report the attack attempt. The IT department is stuck between a rock and a hard place. More people fall for the scam, and no one gives IT a heads-up.

Privilege abuse is still a top insider threat—with an emerging twist
Traditional privilege abuse involves an internal user stealing or corrupting sensitive data—whether for personal gain or in collusion with an external actor. Verizon noted an emerging twist: external parties with legitimate access credentials (a customer or vendor, for example) colluding with another external actor. Verizon also showed that insider threat detection is extremely difficult in cases of privilege abuse, with most incidents taking months for the enterprise to discover. This year, privilege abuse was the top defined category of cyber security threats, second only to the catchall category of “Miscellaneous Errors.”

Something new: the three-pronged attack
Cybercriminals aren’t just getting smarter—they’re growing more patient. Verizon highlighted what it called the “new three-pronged attack”:

  1. Phishing email lures user to malicious link or attachment.
  2. Clicking the link installs malware that targets a user’s various digital access credentials. Sophisticated malware can even compromise other users’ credentials through this one entry point.
  3. Those credentials are later used in other attacks.

The first challenge here is tracing the subsequent attack back to the initially-targeted user and the original phishing email. The second is figuring out just how deep the attack went—which credentials were compromised and which data may have been exposed or stolen. Playing the “long con” gives cybercriminals a chance to slowly, silently extend the reach of the breach, with users and IT unaware.

Biggest cost: tracking down data during breach recovery
With sophisticated attacks leveraging insider credentials to go deeper and broader, it’s no surprise that the biggest cost of an enterprise data breach comes from the daunting task of forensic analysis. Figuring out what data was compromised, and tracking down copies of the files, puts an enormous strain on IT resources, and accounts for nearly 50 percent of the average total cost of an enterprise data breach.

TL;DR—Breaches are inevitable; data visibility is key
The DBIR is great reading (really—you’re guaranteed a laugh or two), but it’s 85 pages long. Here’s the quick-and-dirty:

  • “No locale, industry or organization is bulletproof.” In other words, breaches are inevitable.
  • Know your biggest threats. Take five minutes to check out the tables on pages 24 and 25, showing incident patterns by industry.
  • “You cannot effectively protect your data if you do not know where it resides.” Breach remediation is crucial. Data visibility is key.

Next, we’ll tackle this last point—why data visibility is essential to effective breach remediation, and how an enterprise can enhance data visibility.

Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.

Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Blog]

Traveling the Road to GRC Maturity

Today’s business environment is fraught with risk. However, to successfully seize growth opportunities in the market, organizations need to effectively position themselves to embrace risk with confidence instead of simply avoiding it.

Technology, economic and market conditions affect organizations on a daily basis. The constantly changing landscape of risk is a leading topic in headlines, industry forums, media outlets and board rooms. We are moving to a world where your risk management approach is not only your defense against known and unknown risks, but a critical component of your competitive advantage.

The next five years will bring even more pressure and greater shifts in the way governance, risk and compliance (GRC) programs need to operate to succeed. Not only are regulations and risk management needs changing, but the technology used to power businesses is radically shifting. The delineation between digital strategies and business strategies has disappeared, and any differentiation between cyber risk and business risk has vanished, as well.

What’s Your Cyber Risk Appetite?
Given that many new business growth strategies rely on technology, organizations must be able to manage cyber risk as part of their risk management strategy. This convergence is leading many organizations to think in terms of cyber risk appetite – what risks can the business take and which are beyond the tolerance of the organization.

GRC programs must create a unified risk culture and a common language across the enterprise in order to understand risk in the context of the organization’s overall objectives. Therefore, effective risk management practices must address cyber risk and business risk in equal measure and provide a consolidated view of risk to executives and practitioners.

These capabilities do not magically appear within an organization overnight. The transition from a compliance-driven approach to a risk-based strategy takes commitment and collaboration across all “lines of defense” within an organization. The road to a mature risk management strategy has many twists and turns. Organizations will face multiple forks in that road and a fair share of distractions and derailments. However, the benefits of staying the course are clearly evident.

Risk management is becoming a core capability that separates the winners from the losers. Organizations that understand and effectively manage risk will prosper, while those that cannot will fail. Success starts with the ability to manage risk in a manner that frees up resources to focus on the company’s long term, strategic objectives. Executives need relevant, up-to-date risk information in order to make the right decisions and pursue the right opportunities.

I am pleased to be participating in a 16 June (11 a.m. CDT) webinar titled Next-Gen GRC: Building a Road to GRC Maturity with fellow risk and compliance professionals to discuss this maturity journey. Every organization has its own challenges but there are some fundamental elements that can make a significant impact in your program’s success. We will be discussing strategies to push risk management across your organization and take your program to the next level.

Patrick Potter, GRC Strategist, RSA

[ISACA Now Blog]

English
Exit mobile version