DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 32, Issue 1

Full Contents Now Available!

In January, BlackRock accidentally leaked confidential sales data by posting spreadsheets unsecurely online – certainly not the first time we’ve seen sensitive information “escape” an organization. Incisive CEO Diane Robinette provides guidance companies can follow to minimize spreadsheet risk.

Several weeks ago, the world’s largest asset manager, BlackRock, accidentally posted a link to spreadsheets containing confidential information about thousands of the firm’s financial advisor clients. As reported by Bloomberg News, the link was inadvertently posted on the company’s web pages dedicated to BlackRock’s iShares exchange-traded funds. Included in these spreadsheets was a categorized list of advisors broken into groups identified as “dabblers” and “power users.”

While BlackRock was lucky in the fact that there was no financial information included on these spreadsheets, they are still left to deal with reputational damage. For the rest of us, this breach brings an important issue — spreadsheet risk management — back into the spotlight.

Despite years of rumors predicting the demise of spreadsheets, they are still widely used by businesses of every size. And why shouldn’t they be? Beyond providing an easy way to categorize clients and business partners, spreadsheets continue to meet the analytical needs of finance and business executives. They are especially useful for analyzing and providing evidentiary support for decision-making and for complex calculations where data is continuously changing. Yet, as we’ve seen time and time again, spreadsheets represent continued exposure to risk.

...

https://www.corporatecomplianceinsights.com/lessons-from-blackrocks-data-leak/

Wednesday, 20 March 2019 15:37

Lessons from BlackRock’s Data Leak

The sharp decline follows an FBI takedown of so-called "booter," or DDoS-for-hire, websites in December 2018.

The average distributed denial-of-service (DDoS) attack size shrunk 85% in the fourth quarter of 2018 following an FBI takedown of "booter," or DDoS-for-hire, websites, in December 2018, researchers report.

Late last year, United States authorities seized 15 popular domains as part of an international crackdown on booter sites. Cybercriminals can use booter websites (also known as "stresser" websites) to pay to launch DDoS attacks against specific targets and take them offline. Booter sites open the door for lesser-skilled attackers to launch devastating threats against victim websites.

About a year before the takedown, the FBI issued an advisory detailing how booter services can drive the scale and frequency of DDoS attacks. These services, advertised in Dark Web forums and marketplaces, can be used to legitimately test network resilience but also make it easy for cyberattackers to launch DDoS attacks against an existing network of infected devices.

...

https://www.darkreading.com/vulnerabilities---threats/ddos-attack-size-drops-85--in-q4-2018/d/d-id/1334197

Wednesday, 20 March 2019 15:35

DDoS Attack Size Drops 85% in Q4 2018

The #MeToo and #TimesUp movements brought the continuing problem of workplace misconduct onto the national stage, shining a light not only on the prevalence of harassment, but also on the dire need for effective processes to investigate when allegations are made. Clouse Brown Partner Alyson Brown discusses.

Confidential information
It’s in a diary
This is my investigation
It’s not a public inquiry.

— “Private Investigations,” Mark Knopfler/Dire Straits

It’s Friday. Thoughts are turning to the weekend ahead. The phone rings: We have a problem — I’ve gotten a complaint of sexual harassment against a senior VP. What do I do?

I’ve had variations of this call dozens of times. In the months since #MeToo and #TimesUp grabbed national headlines, the volume of calls about workplace complaints, especially those involving senior executives, has skyrocketed.

Employers and executives must act promptly when faced with these complaints. An effective workplace investigation can mean the difference between effective resolution and unwanted litigation. Moreover, in the current business environment, how employers investigate potential misconduct can affect that company’s reputation almost as much as the alleged conduct itself.

Consistent principles and procedures must be followed whenever allegations of misconduct are investigated. While volumes are written on how to ask questions and read body language, less guidance is available on the necessary pre-planning necessary for an effective investigation.

...

https://www.corporatecomplianceinsights.com/laying-the-groundwork-for-a-successful-internal-investigation/

The automation, stability of infrastructure, and inherent traceability of DevOps tools and processes offer a ton of security and compliance upsides for mature DevOps organizations.

According to a new survey of over 5,500 IT practitioners around the world, conducted by Sonatype, "elite" DevOps organizations with mature practices, such as continuous integration and continuous delivery of software, are most likely to fold security into their processes and tooling for a true DevSecOps approach.

Throughout the "DevSecOps Community Survey 2019," responses show that mature DevOps organizations have an increasing awareness of the importance of security in rapid delivery of software and the advantages that DevOps affords them in getting security integrated into their software development life cycle.

...

https://www.darkreading.com/application-security/6-ways-mature-devops-teams-are-killing-it-in-security/d/d-id/1334182

The automation, stability of infrastructure, and inherent traceability of DevOps tools and processes offer a ton of security and compliance upsides for mature DevOps organizations.

According to a new survey of over 5,500 IT practitioners around the world, conducted by Sonatype, "elite" DevOps organizations with mature practices, such as continuous integration and continuous delivery of software, are most likely to fold security into their processes and tooling for a true DevSecOps approach.

Throughout the "DevSecOps Community Survey 2019," responses show that mature DevOps organizations have an increasing awareness of the importance of security in rapid delivery of software and the advantages that DevOps affords them in getting security integrated into their software development life cycle.

...

https://www.darkreading.com/application-security/6-ways-mature-devops-teams-are-killing-it-in-security/d/d-id/1334182

To make sure that homeowners are aware of the importance of flood insurance, the I.I.I. recently partnered with the Weather Channel.

A video posted to the Weather Channel’s Facebook page demonstrates just how destructive flooding can be; for example, in the video you can see the devastation from Hurricane Sandy wreaked on Breezy Point, a coastal community in Queens NY.

“What’s remarkable about flood insurance is that only 12 percent of people have it,” says Sean Kevelighan, I.I.I.’s CEO. One misconception that people have about flood insurance is that it’s included in a homeowners policy. But that’s not the case. A separate flood policy must be obtained. Flood insurance is mostly sold by FEMA’s National Flood Insurance Program, but some private insurers have begun offering it as well.

...

http://www.iii.org/insuranceindustryblog/i-i-i-and-the-weather-channel-get-the-word-out-about-flood-insurance/

The latest twist in the Equifax breach has serious implications for organizations.

When the Equifax breach — one of the largest breaches of all time — went public nearly a year-and-a-half ago, it was widely assumed that the data had been stolen for nefarious financial purposes. But as the resulting frenzy of consumer credit freezes and monitoring programs spread, investigators who were tracking the breach behind the scenes made an interesting discovery.

The data had up and vanished.

This was surprising because if the data had, in fact, been stolen with the ultimate goal of committing financial fraud, experts would have expected it to be sold on the Dark Web. At the very least, they would have expected to see a wave of fraudulent credit transactions.

Nada.

...

https://www.darkreading.com/vulnerabilities---threats/the-case-of-the-missing-data/a/d-id/1334181

Wednesday, 20 March 2019 15:30

The Case of the Missing Data