Skip to main content

Back to (new) Basics

To maintain secure computer systems, in the past the basics have been tasks like keep systems updated, run anti-virus software, use a properly configured firewall,use a filtering proxy for access to the internet.

The advice on basics has been mechanistic in the past - make the machinery protect itself was the ideal and most hoped-for outcome.

The new Basics include the old things and add:

  • Establish a Security Culture
  • Maintain Good Computer Habits 
  • Plan for the Unexpected
  • Control Access to Protected Health Information

(from Top 10 Tips for Cybersecurity in Health Care)

What's interesting about the new Basics is the additional items all have something in common: People. Each item focuses on how people interact with the systems, what they should expect and look for in terms of benefits, risks and dangers, and the fact the use of computers and computerized machinery must always remember the human elements for mistake, misuse and out-right abuse.

Why Is Cybersecurity So Hard? puts it succinctly, attributing it to three reasons. The first reason is that which is being recognized more broadly now: It's not just a technical problem.  Harvard Business Review's The Best Cybersecurity Investment You Can Make Is Better Training documents the problem. The Small Business Administration is gearing up to help in the effort to train small and medium sized businesses and  the AHA is making efforts at training from the top-down and this includes training on and in governance efforts.

It's people that are trying to defeat security, it will come down to people promoting security - as the new Best Practices warrant.

Labels:

Comments

Post a Comment

Popular posts from this blog

You don't really know who you're talking to online...

The following is a story that I think highlights the assumptions that get you into trouble online... https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media This is particularly scary since we found so much utility in online connections during the pandemic and out of necessity, started trusting more online. Please note the timeline for this breach - it was a long, slow process, a key factor in many 'cons'. "Build trust" is a key first step, once someone has identified you as a party. You think...you're convinced you know who your talking to, but if you don't triangulate the identity with some non-online, ideally in-person information, you shouldn't trust. And even if you do get what seems like real-life confirmations of identity, you must look at questioning motives, needs, and keeping danger at arms-length. Online includes email, texting (sms), application chatbots, voice communicati...
Post a Comment
Read more

Threat Modeling Manifesto

Secure Your Code with Threat Modeling As a software developer, security should be a top priority. By proactively identifying and addressing potential vulnerabilities, you can significantly reduce the risk of breaches and data loss. What is Threat Modeling?   Threat modeling is a systematic approach to identifying, assessing, and mitigating security threats. It involves looking at your system from a hacker's perspective to uncover weaknesses and devise strategies to protect against attacks. See the  OWASP Cheat Sheet   Why is Threat Modeling Important? Proactive Security: By anticipating potential threats, you can take steps to prevent them. Risk Mitigation: Identify and address vulnerabilities before they can be exploited. Regulatory Compliance: Adhere to industry standards and regulations. Enhanced Security Posture: Strengthen your overall security posture. How to Get Started with Threat Modeling   The Threat Modeling Manifesto provides a valuable framewor...
Post a Comment
Read more

Where threat modeling can shine - an example from the EU MDCG-2019

From the  EU  MDCG 2019-16 Guidance on Cybersecurity for medical devices, December 2019 , this is the guidance on foreseeable risks.  Medical device manufacturers should ensure that a medical device is designed and manufactured in a way that ensures that the risks associated with reasonably foreseeable environmental conditions are removed or minimised. This may include the infield monitoring of the software’s vulnerabilities and the possibility to perform a device update (outside the context of a field safety corrective action) through, for example delivering patches to ensure the continued security of the device. During the risk management process, the manufacturer should foresee or evaluate the potential exploitation of those vulnerabilities that may be a result of reasonably foreseeable misuse. This, however, may depend on the specific situation. For example, using an unsecured memory-stick to enter data into a medical IT system can be considered “reasonably foreseeabl...
Post a Comment
Read more