From CISOs to security professionals, the current approach to applying and understanding security in some organisations still seems to be based on employing expanded terminology to talk-the-talk, getting by with an “on-the-fence posture”, leveraging disguise-enablers such as PCI-DSS and ISO/IEC 27001, and if all else fails calling on the good old safety net of “CIA” [Confusion, Ignorance, and Abstinence]. When you lift the lid off of my potentially inflammatory words and look at the real-world manifestations of such adverse professional circumstances, you may discover multiple organisations who have suffered security events and breaches, a number of which have seen the silent departure of a lacklustre CISO after reaching the tipping point of “one-breach-too-many”.
The simple fact of the matter is this: if we could recruit and do a morality brain-transplant on the cyber-savvy hackers and cyber criminals in order to serve up a more robust approach to securing our businesses, I believe we would be in a much better and safer place. After all, the US made the wise decision of giving Mr. Dark Tangent [AKA Jeff Moss] a job working for the US Government as an adviser on the President’s Advisory Council. In this capacity I repeat what I have said so many times before: it is time to move away from the love affair with the world of standards and other governance practices and realise that the time has arrived to get back to technical basics.
As to the current cyber threats facing us today, to call them “significant” or “effective” would be wanting in the extreme. Cybercrime in all forms is gathering in pace, its impact becoming ever more pronounced. This I believe is due to two factors: 1) All of the reasons mentioned above, and 2) An approach related to following ‘Convention’. In the interests of security, this latter-mentioned approach must change.
To accommodate a more robust level of pragmatic security, it is time to adopt a mindset that seeks to locate the unknowns that may exploit a company’s security and/or intellectual property. Here I feel a metaphysical approach is worthy of consideration, one that is classified as:
a. Concerned with abstract thought or subjects, as existence, causality, or truth.
b. Focused on the first principles and ultimate grounds, as being, time, or substance
In other words, looking at the convention of security upside-down and in five dimensions, we should utilize the element of imagination to think as would a criminal to locate those unknowns. Along these lines, we as a company have employed our Cytelligence Platform to run extensive OSINT [Open Source Intelligence] Assessments for a range of clients, including government bodies, law enforcement agencies, financial organizations, and energy companies. The results of these assessments were very interesting, and notwithstanding the fact that these organisations had commissioned regular conventional security assessments, what had been overlooked as exposures and vulnerabilities ranged from low- to high-risk, carrying significant levels of potential for remote exploitation.
The absolute Tropic-of-Capricorn in our technologically dependent interconnected world is as follows: we must introduce security measures to infrastructures and hosted applications in order to re-imagine cyber security in the interest of achieving cyber resilience.
[su_box title=”About Professor John Walker – FMFSoc FBCS FRSA CITP CISM CRISC ITPC
” style=”noise” box_color=”#336588″]
Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia [to 2015], Independent Consultant, Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts (RSA), Board Advisor to the Digital Trust, Writer for SC Magazine UK, Originator of DarkWeb Threat Intelligence, CSIRT, Attack Remediation and Cyber Training Service/Platform, Accreditation Assessor and Academic Practitioner and Accredited Advisor to the Chartered Society of Forensic Sciences in the area of Digital/Cyber Forensics.
Twitter: @SBLTD
John Walker is also our Panel member. To find out more about our panel members visit the biographies page.[/su_box]
John is the Principle at Shadow-Intelligence (Si), partnering with PALISCOPE, BreachAware and iStorage. He is a Visiting Professor at the School of Science and Technology, Nottingham, Trent University (NTU) and holds the appointment of Editor in Chief for the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). For the last decade he has delivered training courses in the Middle, and Far East to Commercial, Industrial, the Financial Services Sector, and Military Agencies, including the UAE, US, Pakistan, Saudi Arabia, Malaysia (KL), Singapore, Argentina, and Sao Paulo
He served in the Royal Air Force 22 years’, specialising in Counterintelligence, working with UK Agencies such as GCHQ/CESG, and others in the fields of SIGINT, COMINT and Satellite Communications, holding appointments such as System ITSO for a CIA SCIF.
In the commercials sectors of IT/Cyber he has worked for/with Logica, Bae, T5, GM, Experian, Betfair, Palace of Westminster, House of Lords/Commons, TSol (Treasury Solicitors) and provided Consultancy to the Saudi Arabian MOD, TRA (Telecommunications Authority (Dubai) and the Military Academy of Malaysia (KL) on SOC, CSIRT, Digital Forensics and OSINT. Within the last 5 years he has focused on Geopolitics, with global expertise around the UAE and Russia, Anti-Terrorist Operations (ATO), Cyber-Warfare, Dezinformatsiya (Disinformation) and Maskirovka (Military Deception).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.