us-cert and questions ceos should be asking about cyber risks

US-CERT has posted up a nice list of Questions Every CEO Should Ask About Cyber Risks. I can’t say I disagreed with anything here!

It’s nothing much, but I did look a bit hard at the metrics section where it says, “An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise.” While I agree with this, most organizations still need to adequately find or be told about a vulnerability first and get it into the analysis and remediation pipeline, before they can start measuring how long it takes to patch it. Or maybe a better wording is to allow for the fact that a vulnerability may have existed before an organization learned of it and started work to patch it. I wouldn’t want someone to think the measure is just from when it was learned to when it was fixed.

I also understand that “industry best practices” can be a little flexible and arbitrary, but I don’t have a great alternative to that beyond constant review and improvement with multiple eyes and documented reasons and justifications for policies and standards.

the three laws of opsec

Just saving for future reference.

Three laws of OPSEC (Kurt Haase)

  1. If you don’t know the threat, how do you know what to protect.
  2. If you don’t know what to protect, how do you know you’re protecting it.
  3. If you are not protecting it, the dragon wins.