Get My Score

Trending in Security

vote tampering


Looking ahead to this fall’s elections, I won’t dwell on the ‘who’, be it Russia, China, North Korea, or someone closer to home, but some entity, somewhere, will  ‘meddle’, and the best we can do is to minimize the impact. 

 We’ve read that the Russians have moved beyond simple (ok… not so simple) vote tampering, and social networks are old hat.  So what can we control?

The very integrity of the data, an assurance that what is stored within the enterprise or in the cloud is unaltered;  has not been tampered with.  Here is where cloud security comes into play.

Over the past few years, we’ve witnessed way too many instances of data stored in the cloud compromised, including marketing data, political party data, health records, etc.     With the rush to the cloud, pressures from our CFOs, and a bit of groupthink, we’ve become sloppy.  The same precautions we’ve taken for our on-premise data centers – access controls, both internal and external, encryption, and even record keeping – some of us have forgotten, with negative impacts that shouldn’t be a surprise.  But posting the data across the internet is only the first salvo.  Hackers now have the tools to alter the data at-rest, and without proper checks in place, the source of truth becomes elusive. But the solution is not difficult, and doesn’t require a string of esoteric certifications.  Just common sense.

The public cloud providers offer a number of services designed to monitor your accounts – your controls, services, and applications – while at the same time providing notifications if something is amiss.  In parallel, software vendors like Cavirin offer powerful security tools that pick up where the cloud provider leaves off.  Cavirin provides real-time visibility and remediation of hybrid infrastructures so that governments can identify gaps in their defenses and take immediate action to more effectively address pressing threats they might/will face.

As part of making your move to the cloud, understand your exposure and the tools available, both CSP and 3rd party, to mitigate.  And put in place and execute a plan before moving any critical workloads or data to AWS, Azure, Google Cloud, etc.  Looking forward to November, this should serve as a call-to-action.

In the same way that GDPR forced the privacy issue, and even in the US had a positive impact such as the CCPR in my home state of California, we can take it upon ourselves to make sure that our clouds are in order… are secure and free from tampering.  We’re at 90 days, so put in place a plan!

ciso challenges 2018


Instituting Solid Security Standards in Tough Times

The modern Chief Information Security Officer (CISO) faces myriad challenges as he or she strives to protect company data, meet regulatory requirements, and spread security awareness. Their mission to institute solid security standards is often hampered by a lack of readily available talent and a limited budget.

It’s a difficult, often thankless task, but resourceful CISOs with the right strategy, support, and tools can prevail. 


A Varied Role

The lack of a common, widely agreed upon definition of a CISO’s job muddies the waters considerably. The first wave of CISOs were often tasked with defining the role as they worked and there are still major differences in the responsibilities bestowed by different organizations.

First and foremost is the need to manage security and protect data, but many CISOs are also now expected to help build security into the infrastructure and train the workforce to be vigilant.

With the mass adoption of cloud services and the proliferation of complex hybrid environments, exacerbated by the rise of the IoT, the virtual office, and shadow IT, CISOs really have their work cut out for them.  A difficult job that requires synergy with various departments is fast-becoming more difficult.

CISOs must recognize potential threats and evangelize for the security cause to secure the budgets and cooperation they need to be successful.


Spreading Awareness

As cloud adoption continues to gather pace and organizations look for safe ways to migrate vast amounts of data, some security risk is inevitable. Perhaps the single greatest action CISOs can take to combat and mitigate that threat is to train the workforce and advance security awareness. After all, Gartner suggests that through 2022, at least 95 percent of cloud security failures will be the customer’s fault.

CISOs must develop a set of policies that enumerate precisely what action employees need to take when an incident occurs, whether it’s a suspected breach, a malware infection, or something else. Embrace the reality that people make mistakes and focus on how to deal with errors to swiftly correct them and minimize their potential impact.

Every employee should regularly complete a constantly evolving security training program that reflects the latest threats. It’s not enough to tick the completion box and move on; employees also need to be tested to ensure they are following policies. When people fail, further training is required.


Providing Proper Support

When CISOs were asked about their concerns for this year by the Ponemon Institute most of them named “lack of competent in-house staff” as their primary worry. There’s a dearth of experienced security professionals and this often leads to people being promoted from unrelated departments and training up in the job. Mistakes are the inevitable consequence.

To help support these security fledglings, CISOs can deploy supportive tools and software that offer an accessible overview of their organization’s cyber posture. (Know what is your CyberPosture Score.)
Automated alerts that highlight potential security issues, alongside clear advice on how to meet security standards and adhere to regulatory requirements can elevate the performance of inexperienced employees.
By conducting a full analysis of an organization’s security posture, compared with the necessary compliance considerations, best practices, and the latest benchmarks, CISOs can identify gaps in their defenses. This allows them to laser focus limited resources in the right places.

It’s crucial to bolster novice security teams with configurable software tuned to the required security standards. To effectively safeguard business-critical data, CISOs need the right strategy coupled with the right tools.


New Generation Companies

IT has changed from driving the bottom line to driving the top line for enterprises. Most of these new applications are developed and built using the DevOps model. This movement was driven by new generation companies such as Google, Facebook, LinkedIn, Pinterest, Twitter, etc. Places where open collaboration is key, and more contributors are encouraged. In addition to changing the business landscape, these companies also built the next set of tools for big data, cloud, AI/machine learning and containers. All of these technologies are mostly open-source. This means the demand is rising for companies to get onboard. There has been a tremendous growth in recruitment activities among organizations that want to boost their open source technology presence. Hiring open source talent was a priority for 83 percent of hiring managers, an increase from 76 percent in 2017. Additionally, containers have been growing rapidly in popularity with 57 percent of hiring managers seeking container expertise (rise from 27 percent in 2017). Overall, we are now entering the scale of massive adoption across the business landscape hence driving the need for open source talent.

DevOps and Security Hiring


What are some steps companies and job candidates can take to benefit from this data?

Time to market is key. In the current business landscape, the speed of innovation has gone up dramatically with this new generation of open source tools. Companies need to recognize that they need in-house talent with the right set of expertise for their chosen toolset. Community-based technology fuels big structured and unstructured data. This also means innovative data-management and storage solutions. Both DevOps and SecOps must respond with an “open-source first” approach when it comes to deploying new software and security infrastructure. Almost any business that plans to survive wants motivated, creative people. They need a talent pool that’s more agile. They need the right mix of enterprise-grade folks who know what it takes to build enterprise-grade – secure, highly available, and robust applications. The newer generation of fast learners that can pick up the new toolset and drive innovation, with security, for business is in high demand.

How can people who are interested in a career in open source enter the field? 

 Jump with both feet into the pool. There are tons of amazing technologies available in the market to choose from. Pick the technology area that’s most aligned with your interest. Study it in and out and become an expert in the field. Participate and contribute to free and open source software (aka FOSS). These projects can offer a variety of learning opportunities. This can even help you start to build a portfolio of your work for prospective employers.  Another strategy is to learn how to make the best use of today's powerful open source technologies. Most of these technologies are new (a handful of years old) hence it depends on an individual’s attitude and aptitude to become the expert in the field and command top dollars from their perspective enterprises for their talent and deliver the results to their employers.







A quick listing of some of the articles where Cavirin's thought leaders were quoted over the last month.  The who's-who of security publications, covering stories as diverse as GDPR, cyber insurance, and USB drive vulnerabilities.  Note that the citations below do not cover our channel launch.   Please go to our website for more.


Cyber Insurance, Security and the Enterprise Challenge


Reset Your Routers to Avoid Malware Attack, FBI Warns

Canadian Banks Warn Data Breach May Have Affected 90,000 Customers

Two Canadian Banks Report Potential Data Breach


Could GDPR Be the Best Thing That’s Happened to Marketing?


Can behavior-based cyber insurance improve cybersecurity?


More Data Leaked from AWS Bucket Misconfigurations


EU Privacy Activist Targets US with GDPR Rules


GDPR is on the books, Google, Facebook face lawsuits, others scramble to comply


Amazon Comes Under Fire for Facial Recognition Platform


Five Business Drivers For Organizations Moving To The Cloud


TeenSafe Data Leak Shows Cloud Security Weaknesses
Moving to the Cloud: Too Many Companies, Too Fast?


TeenSafe App Exposes Data on More Than 10K Accounts


TeenSafe Tracking App Exposes Thousands of Private Records


DHS Cybersecurity Strategy Keys in on Risk, Vulnerability Management


DHS Publishes New Cybersecurity Strategy
Chili's Discloses Data Breach Exposing Payment Card Information


IBM's USB Ban Earns Some Praise, Some Skepticism


Bolton's Push to Cut Security Post Not Sound


Tech Companies Vow Not to Participate in Government-Sponsored Cyberattacks


Bolton, team mull eliminating White House cybersecurity coordinator position


IT Management: Do Not Panic over GDPR Challenges


Adopt The Right Cyber Posture For Your Hybrid Cloud Environment


Twitter Advises Users to Change Passwords Following Encryption Failure
Tens of Thousands of Malicious Apps Using Facebook APIs



Too start off the year, at least two publications have reported on surveys that detail the criticality of the cybersecurity skills gap.  For those old enough, it harkens back to the Cold War missile gap of the 1950s.  But unlike the missile gap, which was mostly fictional, this gap is very real, and much more relevant to the typical enterprise.

CSO drew on a Nov, 2017 ESG study that looked at gaps and potential solutions. The most alarming observation is that, despite increased spending and visibility, the percentage of respondents that reported a shortage of skills rose from 23% in 2014 to 51% in 2018. This doubling implies that the majority of organizations are threatened. As solutions, two areas that stand out include:

  • Moving toward technologies with advanced analytics.Think of artificial intelligence and machine learning as a helper application that can accelerate security processes and make the staff more productive.
  • Automating and orchestrating processes.Cybersecurity grew up with a reliance on manual processes, but these processes can no longer scale to meet growing demands. As a result, security automation/orchestration has become a top priority for many organizations.



A lot has been written about the Equifax breach and the impact it has on Americans. But, perhaps there are few articles that focus on what we can do about keeping the systems patched (the actual cause of the breach was a missing patch). Here are three things that relate to the Equifax breach but precisely tell you things that you might want to consider for your systems to avoid becoming the next Equifax.

  1. Detect – The majority of hacks these days, as Gartner predicted, are not zero-day. They come from known vulnerabilities. So, it is important that you have a detection system in place which can continuously keep you alerted if there are any security misconfigurations or unpatched systems. The Cavirin platform provides a very strong detection mechanism which can detect not only security misconfigurations and missing patches on individual operating systems for both machines on-premise but also in the cloud.    


© 2018 Cavirin Systems, Inc. All rights reserved.