Corporate Governance & Cyber Defense

About 2 days ago bleepingcomputers reported about a leak of over 500.000.000 Facebook user records. Scratching the surface revealed that the data is available to nearly everyone. Here are some numbers to estimate the magnitute of the leak. 77 Gb of plaintext data from 105 countries world wide can be found on the Internet. Some indicators make clear that at least part of the data is from 2019, but only Facebook can make clear if there is also more current data included. The collections seem not to be from one web scraping session, but might be local web scraping campaigns in each country. Some file names are even in local languages. A world map with all countries (file size in MB).     Here are the top 20 based on file size in MB.   The data is of the following categories. name sex relationship status address employer email address (very seldom) year of birth (very seldom) telephone number (very seldom) some dates and IDs Note that citizens from various EU states are affected which is

Today I will not provide you with another chapter from my book draft but talk about a topic that fascinates me since some time.   Awareness trainings are the neglected pillar of cybersecurity, especially when a CISO has a strong technical background, like I have. When I think about cybersecurity I think about SECURITY people that follow SECURITY processes and policies which are implemented with SECURITY tools, because as security engineer I learnt over many years how to to solve problems with algorithms, compilers, and machines. During my career the number of people I was responsible for increased a lot and at the same time these people are less and less IT-aware. Maybe you know this path and thinking, then I would recommend you to take a look into the event logs of a virus scanning tool or intrusion prevention system. Funny, but 99,99% of the events are caused through people! And what happens outside your infrastructure, or by "out of bound" attacks to circumvent detection s

 (Source: Wikipedia)   T he Basel Committee on Banking Supervision has drawn up the requirements Basel I to III, which have been implemented at national level in Germany by the Banking Act[1] (KWG). The KWG serves market regulation and market organisation in the banking sector by considering various types of risks and by introducing a notification and information obligation. In the banking environment the so-called "44er audit" (" 44er Prüfung ") describes the general obligation of an institution to provide information to the auditor, as defined in section 44 (1). Operational risk (BTR 4) is of particular interest for the purposes of this book, as it has been specified – more precisely section 25a and 25b – by the minimum risk management requirements (MaRisk). This all sounds very formal and like a lot of paperwork but it has a serious background. The ties between rogue nations, cybercrime and traditional crime are very close. Let's use North Korea as an exampl

  Basics T he financial sector is extensively regulated at international and national level. Industry standards such as PCI-DSS and SWIFT CSCF (Customer Security Controls Framework) play just as much a role as ISO 27001, EU-GDPR (General Data Protection Regulation), or national laws such as IT-SiG (IT-Sicherheitsgesetz), KWG (Kreditwesengesetz) in Germany (which is based on Basel I and Basel II and is specified with the MaRisk ( Mindestanforderung an das Risikomanagement ) and BAIT ( Bankenaufsichtliche Anforderungen an die IT ) requirements).  No news so far and I risk that you my reader will fall asleep. But wake up, the point is, that this different requirements need to be put under one hat and they have to be useful on an operational level in a easy manner. This is the big task for the 2nd Line-of-Defense (2LoD) in this game. Therefore I will briefly present a methodology to tame all the major and well-known regulations and the minimum measurements that should  be impl