Introduction to Cybersecurity Regulation

Keatron Evans_Cybersecurity
How I Started in CyberSecurity
November 27, 2018
Should you Handle Cybersecurity Internally or Externally?
December 10, 2018
Cybersecurity Regulations

If you are a public company, you have regulations where you have to be worried about CyberSecurity because if your data gets stolen and it causes the price of that company’s share drop. The shareholders have a libel suit against you because now you are responsible legally for maintaining some level of security, and this goes for hospitals and health insurance places. They have something called HIPPA. That’s a regulation that says that basically if you have medical information you are responsible for securing it.

Same for any business that takes credit cards as a form of payment, there is something called PCI. That’s a regulatory thing that requires you to maintain a certain level of cybersecurity to be able to take credit cards. It’s becoming a very regulated thing. If you think about the recent grilling of Mark Zuckerberg with Congress when they had that committee to grill him. The Equifax breach that happened last year is probably one of the biggest in history. There is an entire congressional hearing about that breach, and they were the CEO, and some other people have to answer some really tough questions about why they didn’t have these controls in place. I think everybody has to be worried about it to some extent. Some places more than others but everybody has kind of responsibility now to do something.

There was recently something that’s was an international thing called GDPR. That was mostly steer headed by Europeans, but it’s affecting us here in the US as well but the things that I name GOB for banks, SAP for public trading companies, they do have requirements to have a security audit or a penetration test which is one of the services we provide. They are required legally to have one of those done depending on the regulation once a year, once a quarter, every time you make a significant change to the network or to the data structure you have to have things retested. There are regulations already in place that require organizations to have at least a yearly penetration test and security audit done.

It used to be a lot easier to do that because systems used to be a lot more simple. We did simple things, and we only did a few things with our computers. Now we do everything with them. Browsers are smarter. The applications that we use are smarter and what that leads to is there are more bells and whistles. There are more moving parts. Now it’s harder to see that weird thing happening because there are always weird things happening with the increased functionality of what we do with computers.

What’s happening now is the attackers are evolving as well because one big part of hacking and penetration testing is something called the evasion and covering your tracks and it’s an entire art form around not setting off bells and whistles and not making where people can know what you are doing. In the classes that I teach; we spend an entire half a day just on teaching the students how to do that part. Okay, now you know how to break in, let’s look at how to break in without ever being noticed. We are doing classes for good guys; you can imagine bad guys are really on the ball of that part of the attack factors as well.