The mission of the Cyber Lessons Learned blog is to help improve the state of cyber security, everywhere.   The Cyber Lessons Learned blog will accomplish that by allowing anyone who is responsible for maintaining security of information to have access to analyses of cyber security intrusions done by a professional cyber security consultant, researcher and educator.   Cyber Lessons Learned aims to provide the awareness and information necessary to enable you to take steps to protect your enterprise from the underlying problems that allow these incidents to occur.

In order to do this, Cyber Lessons Learned will:

First, identify, discuss and analyze major, and not so major, cyber security intrusions, compromises and outright thefts of information and intellectual property that seem so prevalent today.

Second, identify the root causes of these cyber security intrusions; the underlying problems of policy, planning, people, process and technology that enable these intrusions.

Third, identify concrete steps and actions that can be taken in your organization to respond to these events and threats.  In this blog, I will focus on mitigation actions that will help reduce the probability of these threats affecting your organization, and/or reduce the impact to your organization should you experience these threats, or identify ways to sidestep these problems entirely.

The analysis of cyber security intrusions will be conducted with publicly available information only.

Every month, at least, a different cyber security event will be analyzed to help you prevent the occurrence of these problems within your enterprise.   Between the publishing of these case studies, this blog will offer additional education and background material on specific cyber security issues and mitigation strategies highlighted in the case studies.

Target Audience

The target audience I imagine for this blog is the CIO and CISO or anyone that wants a deeper understanding of the cyber security intrusions that are happening.  If your organization that has 500+ employees your network is sizable, complex and likely distributed.  For others, you may have regulatory compliance requirements as well as contractual compliance requirements.

Your network may also be a point of discomfort for you in that you are never quite sure that the network and your corporate and customer information is actually secure from unwanted disclosure.

The Situation

You have large stores of data, information and intellectual property to protect and a large number of people and business processes to support.  You are not entirely confident that you know where all the information that the organization depends upon to survive is located, who has access to it, and what they do with it, nor are you confident that this vital organizational resource is properly secured from outside intrusion or internal sabotage.

You intuitively understand that compliance with security requirements and standards is not the same thing as having made your information unavailable to thieves while maintaining easy access to data and information to support business operations.  Compliance should not be confused with security.

You may be aware of the large-scale intrusions that resulted in the disclosure of over 675 million records in 2014 in the US.  You may also be aware that concern over these breaches has reached the boardroom with organizations having to restate earnings, pay significant fines, and senior executives, in some cases, losing their jobs as a result.

You are serious about protecting the information and intellectual property your business needs to operate while protecting the personal, financial, and medical information of your customers and employees, but you are not quite sure you completely understand why and how intrusions occur.

Why Cyber Lessons Learned?

This blog arose from a desire to answer the most common question I get as a consultant and teacher when one of these massive intrusions occur: Why?  How? Why and how did this happen?  How do I prevent this from happening to my organization?

I get these questions most frequently from the students in the information security and incident response classes I teach for the Software Engineering Institute (SEI) at Carnegie Mellon University.  (The SEI is the home of the CERT program.)

These “students” are professionals from industry and government from around the world.  They have one common goal:  To prevent these intrusions and insider incidents from occurring to them.

The goal of Cyber Lessons Learned is to provide the awareness and information necessary to enable you to take steps to protect your enterprise from the underlying problems that allow these incidents to occur.