On Sunday, the US Department of Health and Human Services was hit by a cyber attack intended to disrupt its response to the COVID-19 virus. The ‘disruption and disinformation’ attack has illustrated an intent to target a renewed dependency on IT systems during this pandemic. Businesses, universities, and governments around the world are rapidly deploying remote capabilities to allow work from home during self-isolation to flatten the curve. This solution however, has hyperextended existing IT infrastructure and while defenders struggle to adapt to this new perimeter, adversaries are sure to discover more points of impact.
Over the next three months the Covid19 virus may cause dramatic changes on the international scene that will impact decision-making in government and industry. We have no special insights into what they could be, but through thirty years of close observations of national security topics we can say this, we should be prepared for surprises. The impact of surprises can be mitigated by collecting information, and that collection can be optimized by starting with good questions.
I don’t consider myself a futurist, but thinking about the future has been an essential component of my career and supports a broad range of strategic thinking in the domains of cyber and geopolitical risk, threat intelligence, and business planning. I’ve taken to calling these future brainstorming mental models “living in the future” and the approach has been adapted into our HACKthink methodology as well to help organizations derive the essential actions needed to arrive at a future outcome.
The focus for our conference this year is “Future Proof”, so I thought it would be interesting to take a retrospective look at a blog post I wrote over 10 years ago called “We all live in the future now” to see how well the analysis stood the test of time.
On January 3, 2020, Iran’s Qassem Suleimani, head of the Islamic Revolutionary Guard Corps Quds Force (IRCG-QF) was killed by a US drone strike. Iran’s Supreme Leader Ali Khamenei declared that “harsh revenge” awaits those who led the strike against Suleimani. The military advisor to Khamenei stated that Iran’s response would “for sure be military” and directed against US military sites. It is hard to tell what the full nature of Iran’s response will be, history has shown they have an ability to surprise. However, we assess the most likely response will be state sponsored destructive cyber attacks done in a way that implies they were launched by Iran but still offer some level of ambiguity over source. We also assess increased attacks by hacktivist supporters of Iran.
The top stories on OODA Loop provide good insight into what issues will be top of mind for executives and experts going into 2020. Here are the 20 most popular posts of the year.
Two US senators asked the Department of Homeland Security for their support on a recent bill, the K-12 Cybersecurity Act of 2019, which aims to effectively manage the threat of ransomware and cyberattacks. The bill would establish guidelines that improve school cybersecurity systems. The senators stated that school systems are
What does it take to be a highly effective CISO? Over the past 25 years, I’ve consulted for hundreds of executives on cybersecurity issues including direct support to dozens of CISOs working to effectively manage cyber risk in a wide variety of organizations. With this post, I’ve attempted to capture some of the best practices from the most effective CISOs I know. In future articles, we’ll look at each of the 10 habits in greater detail, including direct input from the CISO community.
It’s been almost 10 years since the first commercial for-profit bug bounty program was launched. Bug bounty programs have transformed the information security sector, and its negative impacts have been advertised as driving down companies’ consulting rates and raising ethics questions within the cybersecurity community. However, boutique security consultancies, particularly
OODA CEO Matt Devost provides his top 10 security, technology, and business books for 2019. Matt reads over 100 books per year and this top 10 compilation is typically one of our most popular posts of the year. A trusted curation of essential books that can inform your decision loop and enable intelligent actions.
In October, Bugcrowd disclosed that around 550 hackers from around the world reported roughly 6,500 vulnerabilities, resulting in a total payout of $1.6 million. The company, which launched in 2011, announced that over $513,000 of the monthly payouts were made last week: breaking a company record of most vulnerabilities reported