Author: JG Rioux

About JG Rioux

I'm a Cyberist at Cyberistix International. My principal responsibilities are cyber and information security training and conducting ISMS audits.

Helix22 Designed To Be Quantum Immune 

Helix22 delivers perfect security assurance due to BLAKFX‘s engineering team took an innovative look at the problem and invented a new model for data security. The approach it took was to protect the data itself. Almost all other data security products try to build a perimeter or being fanatic on user credentials. However, once the product is breached or a password is stolen, even if it is 2FA or encrypted, a firm’s data is in the clear.

The wrold's foremost B2B and B2G data security product.

The Helix22 cryptography is embedded with the data itself through its inventive and patented cryptography of DNA Binding. Therefore, even if credentials are stolen, the data cannot be exfiltrated. It means that all data is 100% protected regardless of the type of attack.

Another substantial advantage of Helix22 is that it protects all data whether at rest, in use or transit. Many communication apps, for example, only encrypt data while in transit. Therefore, that encryption becomes useless for internal IT security or Artificial Intelligence or Machine Learning experimentation. All data generated during these massive computing exercises are equally protected in real-time. Plus, the latency period for the Helix22 is exponentially less than any other security product, so it actually contributes to faster processing times.

The Helix22 is easy to install and runs on all platforms, programming languages, networks and devices.

The Helix22 data security SDK accomplishes the following:

  • It runs on any platform, network, device and in any programming language
  • Installs with 5 lines of code
  • Protects all a firm’s data at rest, in use and transit
  • Renders ransomware threats obsolete
  • Eliminates human error
  • Eliminates all malicious or interior attacks
  • Verifies original content, i.e. minimizes the threat of impersonation attacks and deep fakes
  • Provides perfect future/forward secrecy
  • Delivers “zero-knowledge” encryption
  • Reduces latency
  • Protects all data equally as well on the cloud and at the edge
  • Compatible with all cloud, 3rd party and vendor services
  • Is quantum ready – so there’s no need to upgrade when the time comes
  • Requires no employee training
  • Exceeds all government and banking standards
  • Meets all international compliance regulations

Note: Helix22 has not been certified by any independent, impartial third-party under FIPS-140-2 (-3) or Common Criteria version 3.1 revision 5 (ISO 15408) as of yet (04/06/21)

D2D encryption

BLAKFX claims that its engineers invented and patented a genuine device2device (D2D) encryption. It manages data security transmission through the genuinely brilliant and also patented universal Helix22 key service. The Helix22 encryption originates on the users’ network or devices, not just when the app is opened. It means that when data arrives in the key server, it is already encrypted, so all it needs to do is issue another key. Signal and Telegram cannot claim this level of security. 

This key will then only work with the intended device, which generates a matching key required to open the data. The key server is indeed a “zero-knowledge” server in this protocol, so all communications and transmissions remain completely top secret. Even if the authorities were to subpoena the key server manager for the data, the manager could honour the request by just handing over the encrypted content. That is all the manager has. Helix22 also only uses keys just one time and then destroys them. This way, the data security is future-forward prefect. Therefore, in this unique device-to-device encryption (D2D) world, there is no opportunity at all for any data leak.

This same protocol just described can be the same with all your 3rd party vendors and suppliers. It does not matter in the least what platform they are running or what device they are using, or even the type of data; it is all 100% protected. It is, however, strongly advise that all firms involved utilize Helix22 due to the nature of the data content. Helix22 can ensure that whatever data they are generating is protected as well.

BLAKFX takes it a step further. Even if an organization were a victim of an internal attack or a victim of malicious open source downloads, there is no reason for concern. Any data that has been forwarded, downloaded, copied or saved cannot be exfiltrated. Period. It has the technology industry’s foremost data packets, protected with multi-layered, military-grade encryption algorithms that have already proven the ability to withstand penetration testing from MI5 and quantum computing attacks.

One final practical genius of DNA Binding is that it is immediately compatible with whichever system or software is utilized. Therefore, any organization can forward information to another and then discuss it, and there is immediate privacy.

Final note: The Helix22 SDK sounds promising. I hope that BLAKFX submits proofs of its Pen Test claims and independent, impartial certifications.

Business Continuity Standards & Frameworks

The meaning of ‘business’ refers to any particular field of endeavour, including governments. The current pandemic has led to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and disruptive incidents. Currently, COVID-19 proved that governments and organizations of any size could have significantly benefited from implementing and maintaining Business Continuity Standards.

First, what is Business Continuity?

Business continuity encompasses a loosely defined set of planning, preparatory and related activities. They are intended to ensure that an organization’s critical business functions will continue to operate despite serious incidents or disasters that might otherwise have interrupted them. With proper planning, an organization will recover to an operational state within a reasonably short period

Business continuity includes three key elements: resilience, recovery, and contingency.

  • Resilience is the critical business functions and the supporting infrastructure designed to be materially unaffected by most disruptions, for example, through redundancy and spare capacity.
  • Recovery is the arrangements made to recover or restore critical and less critical business functions that fail for some reason.
  • Contingency: the organization establishes a generalized capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.

Enter the business continuity standards. They ensure consistency while adopting a specific business continuity methodology. Following guidelines and prescribed procedures also give any group the possibility of quick turnaround times.

Business continuity standards broadly encompass the following aspects:

  • Quickly establishing resource requirements for restoring operations as well as keeping them operational;
  • Recovery procedures that are prioritized based on critically of operations;
  • Protecting employees, resource and assets from legal scrutiny by providing valid evidence of preventive, response and restoration measures;
  • Designing plans at an organizational level that can be integrated across organizations to leverage a consolidated response as and when required

Many have the misconception that ISO standards are relevant only in the case of big corporations and governments. Budgetary constraints might be a deterrent in the case of some ISO standards. But others, like ISO 22301 in particular, are agnostic as far as organizational size is concerned. And regardless of the sector to which the organization belongs, the ISO 22301 standard is just as adequate.

The following three are the most commonly referred to as ISO standards when organizations design a business continuity capability.

ISO/IEC 22301 Societal Security – Business Continuity Management Systems – Requirements – This business continuity standard provides a framework for response strategies and recovery measures through a documented management system. Activities include planning, design, execution, operability facilitation, supervision, evaluation, maintenance and periodic improvements. It will help organizations, regardless of their size, location or activity, to be better prepared and more confident to handle disruptions of any type. Incidents can disrupt an organization and apply ISO 22301 to ensure that organizations can respond and continue their operations. Incidents take many forms ranging from large-scale natural disasters and acts of terror to technology-related accidents and environmental incidents. However, most incidents are small but can have a significant impact, making business continuity management relevant at all times. ISO 22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a BCMS. It is expected to help organizations protect against, prepare for, respond to, and recover when disruptive incidents arise.

ISO/IEC 22313:2020 Security and Resilience — Business Continuity Management Systems — Guidance on the use of ISO 22301 – This document gives guidance and recommendations for applying the Business Continuity Management System (BCMS) given in ISO 22301. The advice and recommendations are based on good international practice.

This document applies to organizations that:

  • Implement, maintain and improve a BCMS;
  • Seek to ensure conformity with stated business continuity policy;
  • Need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;
  • Seek to enhance their resilience through the practical application of the BCMS.

The guidance and recommendations apply to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors. The approach adopted depends on the organization’s operating environment and complexity.

ISO/IEC 27001:2013 Information Technology – Security Techniques – Information Security Management Systems (ISMS) are the focus area of this ISO standard. Activities include design, execution, maintenance and creating a culture of ongoing improvement. ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the organization’s context. It also includes provisions for the assessment and treatment of information security risks tailored to the organization’s needs. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to apply to all organizations, regardless of type, size or nature.

Other standards relevant to business continuity management and planning include:

ISO/IEC 22320:2018 Security and Resilience – Emergency Management – Guidelines for Incident Management: ISO 22320 defines incident response requirements and allows public and private organizations to establish and enhance their ability to respond to emergencies regardless of their magnitude. ISO 22320 helps mitigate threats and damages and ensures continuity of necessary facilities such as water and food supplies, health, rescue services, fuel delivery, and electricity. ISO 22310 ensures that all related parties are on the same page during a disaster to minimize the chances of misunderstandings and provide more effective use of the combined resources. It encourages the development and implementation of incident response measures to ensure a response suitable to the affected population’s needs. 

ISO 27000 – This consists of a collection of regulatory norms relevant to ISMS. Information systems security is a focus area under this standard, including financial data, employee profiles, customer details and third-party databases.

  • ISO/IEC 27002:2013 Information Technology – Security Techniques – Code of Practice for Information Security Controls  – this standard gives a more detailed description of the implementation of controls and is mostly applied in the Do Phase (Implementation) ISO 27001.
  • ISO/IEC 27003:2010 Information Technology – Security Techniques – Information Security Management Systems – Guidance. ISO 27003 focuses on the critical aspects needed to successfully design and implement an Information Security Management System (ISMS) following ISO 27001:2005.
  • ISO/IEC 27004:2016 Information Technology – Security Techniques – Information Security Management – Monitoring, Measurement, Analysis and Evaluation. ISO 27004 guides the development and use of measures and measurement to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of rules, as specified in ISO/IEC 27001.
  • ISO/IEC 27005:2018 Information Technology – Security Techniques – Information Security Risk Management. ISO 27005 specifies methods for information risk assessment and treatment and is useful in the Plan Phase according to ISO 27001.
  • ISO/IEC TS 27008:2019 Information Technology – Security Techniques Guidelines for the Assessment of Information Security Controls. ISO 27008 guides reviewing the implementation and operation of controls, including technical compliance checking of information system controls, in compliance with an organization’s established information security standards.
  • ISO/IEC 27031:2011 Information Technology – Security Techniques– Guidelines for ICT Readiness for Business Continuity. ISO 27031 describes the concepts and principles of information and communication technology (ICT) readiness for business continuity. It provides a framework of methods and processes to identify and specify all aspects for improving an organization’s ICT readiness to ensure business continuity.
  • ISO/IEC 27035 Management Systems Standards – Information Security – Information Security Incident Management

ISO 28000:2007 Specification for Security Management Systems for the Supply Chain. ISO 28000 is a business continuity standard that outlines a security management system’s prerequisites from a supply chain management perspective. ISO 28000 specifies a security management system’s requirements, including those critical to the supply chain’s security assurance. Security management is linked to many other aspects of business management. Elements include all activities controlled or influenced by organizations that impact supply chain security. These different aspects should be considered directly, where and when they affect security management, including transporting these goods along the supply chain.

ISO 28000 applies to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:

  • Establish, implement, maintain and improve a security management system;
  • Assure conformance with stated security management policy;
  • Demonstrate such conformance to others;
  • Seek certification/registration of its security management system by an Accredited third party Certification Body; or
  • Make a self-determination and self-declaration of conformance with ISO 28000.

There are legislative and regulatory codes that address some requirements in ISO 28000.

It is not the intention of ISO 28000 to require duplicative demonstration of conformance.

Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply chain security.

ISO 31000:2018 Risk Management – Guidelines. ISO 31000 provides high-level principles and generic guidelines for Risk Management. ISO 31000 is a generic risk management framework that can be applied to any organization regardless of its nature, type, or complexity. Risk treatment and efficient resource allocation are among the highlighted topics. ISO 31000 provides guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context. ISO 31000 provides a common approach to managing any risk and is not industry or sector-specific. ISO 31000 can be used throughout the organization’s life and can be applied to any activity, including decision-making at all levels.

ISO/IEC 38500:2015 Information technology – ISO 38500 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations. It also guides those advising, informing, or assisting governing bodies. They include the following:

  • executive managers;
  • members of groups monitoring the resources within the organization;
  • external business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies;
  • internal and external service providers (including consultants);
  • auditors.

ISO 38500 applies to the governance of the organization’s current and future use of IT, including management processes and decisions related to IT’s current and future use. IT specialists can control these processes within the organization, external service providers, or business units within the organization. It defines the governance of IT as a subset or domain of organizational management, or in the case of a corporation, corporate governance.

ISO 38500 applies to all organizations, including public and private companies, government entities, and not-for-profit organizations. It applies to organizations of all sizes, from the smallest to the largest, regardless of their use of IT.

The purpose of ISO 38500 is to promote effective, efficient, and acceptable use of IT in all organizations by

  • assuring stakeholders that, if the principles and practices proposed by the standard are followed, they can have confidence in the organization’s governance of IT,
  • informing and guiding governing bodies in governing the use of IT in their organization, and
  • establishing a vocabulary for the governance of IT.

PD 25111:2010 Business Continuity Management – Guidance on human aspects of business continuity gives guidance on the planning and development of human resource strategies and policies for the critical phases following a disruption:

  • Coping with the immediate effects of the incident,
  • Managing people during the period of turmoil (the continuity stage), and
  • Supporting staff after recovery of normal operations

PD 25666:2010 Business Continuity Management – Guidance on exercising and testing for continuity and contingency programmes gives all organizations appropriate guidance on exercising, including testing activities, for continuity and contingency programmes. Arrangements for information technology (IT) systems also fall under this general guidance.

Cyber-Espionage Outsourced

In its new report, “The CostaRicto Campaign: Cyber-Espionage Outsourced,” BlackBerry describes the actions of a malicious campaign carried out by freelance mercenaries. Dubbed CostaRicto, an APT (Advanced Persistent Threat) group with malware tooling skills, VPN proxy, and SSH tunnelling, handles this form of cyber espionage.

APT attacks often come from state-sponsored groups or even nation-states that have the means and motive to launch stealthy and prolonged campaigns.
By hiring a mercenary group to carry out the campaign, the real attackers can better protect their identity and elude any detection attempts. Such attackers may also use a third party if they lack the tools, technologies, or talents to execute a campaign from start to finish. A skilled mercenary group often chooses to work only with high-profile customers who can afford their services. These customers include influential organizations (i.e., Bytedance, Prospera Tech, Qualcomm, SMIC, etc.), influential individuals, and even governments (i.e., Bahrain, China, Kuwait, Saudi Arabia, UAE).

Remember: Security is not for the passive! Be vigilant. Trust no one.

Re-training Canada’s veterans for a second career in IT

Coding For Veterans

Coding for Veterans aims to help Canadian veterans transition from military service into Canada’s ICT sector by providing them industry-specific and job-focused training and mentorship to help meet this demand.


Classes are taught through our accredited educational partners. This hands-on program will be designed to give the people leaving Canada’s military the ability to transition into jobs in Canada’s IT sector.

The program will revolve around two different training streams: basic and advanced. The intro level programming course will teach individuals the skills that are essential to any computer programming job. The advanced level courses (cyber, data analytics) will enable individuals with a higher level of expertise to further their technical skills and develop a specialization in certain areas.

Work placement and industry outreach will form part of the program’s core structure, so there will be jobs available for the program’s graduates.

  • With Coding for veterans, the best and the brightest former military members will have computer programming skills and the opportunity to enter Canada’s technology-based workforce.
  • The program will provide support and resources to the graduating students.
  • A business network developed around the program with companies ready to hire veterans: certified employer partners.
  • We work and partner with Veterans Affairs to promote this program, find talent and help veterans find high-quality jobs.
  • We will provide the perfect environment for veterans to connect with employers and former military members who have successfully transitioned.

Coding for Veterans consists of 3 phases.

The 1st phase consists of assessing potential candidates for the “Coding for Veterans” program.

The 2nd phase consists of the educational components: technical and work culture. Upon completing the program, each graduate will have the necessary knowledge to specialize in the IT industry’s specific sectors.

Ultimately, each will be well-equipped to partake in meaningful employment within Canada’s Cyberspace economy.

Apply Here

3 Ways to Implement Zero Trust (ZT) Without Rebuilding Your Network

By Adam Case ( Technical Offering Manager – Cloud Identity, IBM Security )

Risk never sleeps. As mobile devices flood the enterprise (especially for a younger generation of workers), the Internet of Things (IoT) expands, and cybercriminals grow in both numbers and sophistication, many security professionals think Zero Trust is the safest approach to defending against constantly evolving network and data security threats.

Network vulnerabilities can be found in the most unlikely places. Bloomberg Businessweek, for example, described a case in which an internet port in a hotel room’s motorized, remote-control curtains offered access to the hotel’s internal computer systems. Fortunately, a cybersecurity contractor discovered that particular security gap during an audit, but the lesson rings true: In today’s connected world, unlocked doors, backdoors and trap doors could be almost anywhere.

What Is Zero Trust Security?

The term Zero Trust was coined by John Kindervag, an analyst at Forrester Research, in 2010 when the model for the concept was first presented. A few years later, Google announced that they had implemented Zero Trust security in its network, which led to a growing interest in adoption within the tech community. ZT further gain traction when in 2013, Forrester Research submitted a report submitted to the National Institute of Standards and Technology (NIST) seeking input from technology experts as part of a U.S. government cybersecurity initiative. Forrester, citing a new environment in which “changes like mobility and big data have made ‘building stronger walls’ an expensive farce that will not adequately protect networks,” introduced the concept of Zero Trust, urging organizations to “make security ubiquitous throughout the network, not just at the perimeter.”

Zero Trust refers to both a set of practices and a network design philosophy. In short, zero trust inverts the “trust but verify” approach to “verify and never trust.”

Achieve Zero Trust Security in 3 Steps

According to Forrester, organizations should ideally rebuild their networks “from the inside out,” starting with the “system resources and data repositories that we need to protect as well as the places where we need to be compliant.” However, while rebuilding the network may be a desirable long-term goal, there are myriad ways organizations can gain the benefits of zero trust without embarking on a project of that magnitude.

Here are three steps you can take to introduce zero trust security principles into your organization.

1. Strengthen Identity Validation

Although passwords are the first line of defence for most networks, 59 percent of users have the same password for multiple accounts — and it’s a good bet that the remaining 41 percent vary their passwords by only a few characters. Identity and Access Management (IAM) solutions enable organizations to enhance security by applying multifactor authentication (MFA), which may require biometric factors, such as a fingerprint or iris scan, or the use of a physical object, such as a FIDO2-supported device.

2. Segment Sensitive Data

Segmenting or microsegmenting your network enables you to keep large portions of the network safe in the event of a breach, thereby minimizing the damage. The human resources system, for example, is an obvious choice since it contains Personally Identifiable Information (PII). Experts recommend implementing network microperimeters, such as a next-generation firewall and data security controls so that intruders cannot access more than a defined subset of data, even if they can breach the perimeter defences.

3. Scrutinize Access Behaviours

In addition to guarding the network, an effective zero trust strategy includes monitoring access behaviour and using analytics to search for patterns and trends. Analytical tools, tracking access behaviour, and identifying patterns, trends and potential threats can reinforce data privacy — supporting compliance and increasing customer confidence.

The Success of Your Business Is at Stake

A network data breach puts not only customer information, such as credit card numbers but also the corporate intellectual property, employee records and more at risk. In addition to financial damage, loss of reputation and customer confidence — as well as potential legal liability if a breach is found to violate the General Data Protection Regulation (GDPR) or other privacy laws — are at stake.

Malicious hackers never rest, but neither do the good guys on corporate cybersecurity teams. The Zero Trust approach offers a myriad of weapons for the fight.

To learn more, listen to the SecurityIntelligence podcast, “Zero Trust and the Evolving Role of Identity and Access Management.”

Zero Trust is the Way to Go!

If a data breach has occurred, it’s already too late. Data breaches may not cost every company million dollars, but too often extensive and often irreversible damage to their reputation. Recent studies showed after a vendor notifies customers of a breach, one-third of customers said they would no longer do business with that company. With cybersecurity, it is best to be proactive; companies need to protect against cybercrime and data breaches before they happen.

Today, cybersecurity is a $125 billion industry and will be worth $248.26 billion by 2023, and yet regardless of the amount of money spent on preventing them, data-breaches are showing no signs of stopping. There is an absolute need for a new way to approach cybersecurity strategy.

Traditional security approaches, such as firewalls try to create a secure area, but that doesn’t work in a modern setting because of the adoption of cloud software and mobile access, as well as the sophistication of hackers. That means you need to adopt an approach that recognizes the importance of your data everywhere.

That approach is TNO, Trust No One or Zero Trust security. Zero Trust is a set of lenses to evaluate every user, verify who they are, see what data they want to access, and what security state they’re in limiting that access in a way that minimizes the exposure and attack surface, vastly reducing opportunities for bad actors to operate in, from within and without.

Zero Trust operates on three core premises to achieve maximum security:
1) Verify every user,
2) Validate every device, and
3) Intelligently limit access based on users’ specific needs.

Cybersecurity training and awareness alone aren’t enough; it only takes one weak link to compromise access. Companies have to operate on the assumption that hackers can breach their security layers at any given time. Zero Trust embodies this approach; threat, continually limiting access to address that concern, while also not overly burdening users with unnecessary authentication.

According to experts, Zero Trust is the most researched cybersecurity trend, more than biometric data, and more than blockchain. It makes sense. It is catching on. I’ll continue to promote it as one of the best security postures a company can take today.

Start reading here: Zero Trust Networks, by Doug Barth, Evan Gilman, Publisher: O’Reilly Media, Inc. Release Date: July 2017 ISBN: 9781491962183

Cybersecurity Plan

Writing a basic security plan is a must for all businesses, regardless of size. For small businesses, an essential security plan will take a few hours to draft (8 to 10 hours), and write up an inventory list (2 or 4 hours), and after that come up with relevant checklists to update and recovery should take you a few more hours (4 or 5 hours).

Note: Writing relevant information security policies, procedures, and processes draft-documentations to satisfy ISO 27001 requirement is no proportional to the size of your organization and will take a few dedicated days (4 or 5 days), and few weeks to refine.

Here’s how a small business builds its working cyber security plan. Large companies have more complex needs requiring a more sophisticated strategy and beyond the context of this article, contact me with you need assistance with your needs.

You don’t need to be an IT security expert to get the job done. If you can run an application like LibreOffice to edit a document and browse the web, you already know enough to protect your organization at a basic level, no black magic involved. Investing in cybersecurity delivers a considerable return on investment, always. Using the FCC Cyber Security Planning Guide, you can create a simple cybersecurity plan for your organization. The first draft of your cyber security plan doesn’t have to win a Pushcart Prize award, but make sure that it’s not a Flannery O’Connor Award For Short Fiction. It does it need to run hundreds of pages with chapters of fine details. Your plan needs to outline the threats you likely face, establish sound policies, procedures, and processes, with clear responsibilities for taking action.

The best security plans are simple, but they demand that everyone involved be proactive and vigilant about security. Everyone concerned should take note of which policies, processes, and procedures are working and which need to be polished, changed, or just thrown out. It’s all about involving everyone and validating your collective knowledge required to be in charge of your cyber security.

Identify and understand your risk, start by listing all your digital assets, such as emails, work files, financial records, employee information, business and project plans, schedules, clients’ data, contracts, and any other information you want to protect.

Before you can protect anything, it is essential to figure out how to achieve your goals by taking inventory of all your assets that contribute to your business and security. For many companies, this may include objectives such as:

  • Protecting your all your data, like:
    • Customer sales records
    • Customer credit card transactions
    • Customer mailing and email lists
    • Customer support information
    • Customer warranty information
    • Patient health or medical records
    • Employee payroll records
    • Employee email lists
    • Employee health and medical records
    • Business and personal financial records
    • Marketing plans
    • Business leads and inquiries
    • Product design and development plans
    • Legal, tax and financial correspondence
  • Meeting your regulatory and legislative obligations;
  • Show your suppliers and clients that you are proactive with your security, implementing and complying with best of bread standards from the ISO, NIST, and many others.

List your employees and allocate a cyber security task to every person: for example,

  • Responsible for overall cyber security, Information Security Officer;
  • Accountable for all security-led technical changes, the person most comfortable with software and hardware;
  • Responsible for scheduling and managing updates and checks, everyone with a team leader.
  • Moreover, everyone must acknowledge that they are liable for ensuring they understand the risks such as email scam and malware threats, and the need to be vigilant while in cyberspace.

Other things you have to account for with your cybersecurity policies, procedures, and processes like:

  • Accidental damage, like dropping a tablet and breaking the screen,
  • Technical failure, such as the death of a vital server,
  • Natural disasters such as earthquake, flood, and fire,
  • Crime, like, a break-in at your premises,
  • External risks like malware attacks and industrial espionage,
  • Employee negligence, such as unintentional file deletion,
  • Employee misconduct, like, stealing customer data.

Using NIST SP 800-53 R4, Security and Privacy Controls for Federal Information Systems and Organizations you can formalize your security controls to help you manage your risks and figure out which people will manger those risks best. NIST SP 800-53 and ISO 27002 will help you decide everything you need to make necessary plans about how to select controls to mitigate the risks. If you are a Microsoft Windows user, in your efforts to detect, update, recover, and practice safe computing your controls might include things like:

  • Ensure that all our mail gets swept for viruses, archived, and kept secure;
  • Use digital signature and encryption certificates
  • Encrypting and moving your data to a central file server;
  • Stop staff from storing information on their local computers;
  • Backup vital encrypted data every day, with local copies and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
  • Encrypt and store critical customer and business information locally and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
  • Use TNO computing (Trust No One, segmentation networking) where only people working on a given project will have access to that project’s files;
  • Enforce TNO computing and restrict access to business information like clients’ accounts and payroll to need to know only;
  • Set BitLocker or GNU Privacy Guard or AxCrypt on all your computers to protect your data against loss or theft;
  • Security-marking every piece of equipment (PC, server, laptop, tablet, mobile phone, and so on);
  • Have a third party conduct an annual audit of your physical security, locks, and alarms;
  • Update your security policies, procedures, and processes yearly and train all new staff, without exception;
  • Hold a refresher course to ensure everyone in the company is familiar with security policies, procedures, and processes changes;
  • Spot-check regularly to ensure staff take security seriously and follow established protocols.

It’s a reasonably straightforward exercise, but even a basic cybersecurity plan can save you a world of pain. To ensure the integrity of your cybersecurity plan and its policies, procedures, and processes it is wise to employ a third party to audit your cybersecurity as a whole or to merely help you implemented it, documentation, controls, et al.

You will find helpful links in the FCC Cyber Security Planning Guide.


Guide to Developing a Cyber Security and Risk Mitigation Plan – NRECA / CRN,

Cyber Security Planning Guide – FCC, (accessed February 18, 2019).

Cyser Security Bulletin T#): Scams And Frauds – US Army, (accessed February 18, 2019).

Cyber Security Planning Guide – Homeland Security | Home, (accessed February 18, 2019).

Attribution and Prosecution

Image result for cyber justice
Justice in Cyberspace

Cybercrimes are on the rise worldwide, and national law enforcement agencies around the world have very little success with arrests and fewer with prosecutions, and no matter the amount of money given the presence of cybercriminals behind bars will continue to prove elusive.

Two of the reasons are attribution and jurisdiction, cybercriminals know this and take full advantage of it.

To put a dent in this trend two things need to happen.

(1) The creation of an International Attribution Consortium[i] consisting of a “broad team of international experts would provide an independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (a) technical experts from cybersecurity and information technology companies, as well as academia, and (b) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academic and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”

(2) For nations to stop the current tendency of using laws (justice system) and enforcement units to advance their political and national interests. Governments need to realize that the prosecutions of cybercriminals in the jurisdiction(s) where the crime was committed benefits all concerns, especially where wanton criminal acts can traverse geographical borders creating economic and political havoc in multiple domains, and jurisdiction gridlock where the criminals are free to repeat their most successful exploits. International law enforcement cybercrime units, like Interpol and Europol Cybercrime Units, need real power to chase and arrest cybercriminals and ensure their prosecutions, hopefully in the most severe dominion.

Sadly, Item (1) is more likely anytime soon than Item (2).

Federal budget: RCMP, CSE to get new cybercrime fighting centres (Note: cybercrime fighting centres are a good worldwide trend currently, but will very little worldwide coordination.)

[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace, Santa Monica, Calif.: RAND Corporation, RR-2081-MS, 2017.

Privacy Information Management System (PIMS)

Help is almost here with the General Data Protection Regulation (GDPR), and other information privacy acts, implementation and confirmation. ISO/IEC DIS 27552 designed to enhance the existing Information Security Management System (ISMS, see ISO/IEC 27000 series) with additional requirements to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). ISO/IEC 27552 provides a framework for Personally Identifiable Information (PII) Controllers[i] and  PII Processors[ii] to manage privacy controls reducing risks to individuals’ privacy rights. It acts as an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management, requirements and guidelines.

The ISO/IEC 27552 augments the existing ISMS with privacy-specific controls and creates PIMS to enable effective organization’s privacy management. A well thought out PIMS implementation can bring about many potential benefits for PII Controllers and Processors.

First, managing compliance with various privacy regulations and policies from numerous jurisdictions can be burdensome especially when no one organized the laws in a manner to optimize the application of PII controllers and processors. Annex C demonstrates that one single control can account for multiple requirements from the General Data Protection Regulation (GDPR). Using the standard can significantly reduce the complexity in meeting regulations.

Second, the requirement for Data Protection Officers will help provide evidence to senior management and organization board members on their progress in regulatory privacy compliance. Compliance evidence based on PIMS and, potentially, its certification can provide the necessary assurance to senior management and board members that the organization implementation meets the applicable privacy requirements.

Third, PIMS certification can be valuable in demonstrating an organization’s privacy compliance to customers, partners, and authorities. PII controllers generally demand evidence from PII processors that the processors’ privacy management system adheres to required privacy requirements. A consistent evidence framework based on the international standard can greatly simplify such proof of compliance transparency, especially when the evidence needs validation by an accredited third-party auditor. A well implemented and reviewed ISO/IEC 27552 is a necessity for the all-important compliance transparency so critical for an organization’s strategic business decisions such as mergers and acquisitions. It will play a significant role also where multiple organizations develop and implement scenarios involving data sharing agreement. Lastly, certifying an organization’s PIMS can potentially serve to signal trustworthiness to the public.

The standard segregates the requirements into the four following groups:

  • Clause 5 outlines PIMS requirements related to ISO/IEC 27001.
  • Clause 6 outlines PIMS requirements related to ISO/IEC 27002.
  • Clause 7 outlines PIMS guidance for PII Controllers.
  • Clause 8 describes PIMS guidance for PII Processors.

Further, ISO/IEC 27552 includes the following informative Annexes:

  • Annex A lists all appropriate controls for PII Controllers.
  • Annex B lists all suitable controls for PII Processors.
  • Annex C charts ISO/IEC 27552 controls against GDPR.
  • Annex D charts ISO/IEC 27552 controls against ISO/IEC 29100.
  • Annex E charts ISO/IEC 27552 controls against ISO/IEC 27018.
  • Annex F charts ISO/IEC 27552 controls against ISO/IEC 29151.

ISO/IEC 29100:2011 – Privacy Framework specifies a common privacy terminology; defines the actors and their roles in processing PII; describes privacy safeguarding considerations, and provides references to known privacy principles for information technology. You can download a copy of ISO/IEC 29100:2011.

ISO/IEC 27018 presents commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in line with ISO/IEC 29100’s privacy principles in cyberspace (the public cloud computing environment).

ISO/IEC 29151:2017 establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of PII.

[i] PII controller (or data controller in some jurisdictions) is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. or might be directly or indirectly linked to a PII principal.

[ii] A public cloud service provider is a ‘PII processor’ when it processes PII for and according to the instructions of a cloud service customer. … NOTE Where the public cloud PII processor is processing cloud service customer account data, it might be acting as a PII controller for this purpose.

Semper Paratus

Cyberwarfare and cybercrimes are here to stay, no doubt about that. No matter the size of your network it is imperative to be proactive and prepare for the future. It’s of utmost importance for all organizations to take the necessary basic precautions now to provide defence on what is now the front line of the future.

Risk management is critical to forming the basis of a sound and strategic cybersecurity program for organizations of all sizes. One can accomplish this through an initial risk assessment where one identifies, categorizes, and ranks data according to the perceived impact on an organization should its data be exposed, lost or stolen; you aim to have the basics in place before disaster strikes. For example, at a bare minimum, any organizations should take the following seven steps to protect their data.

All organizations no matter its size should consider the following seven steps to protect their data, supported with standards and guidelines:

1. Set up multi-factor authentication for all users accessing your network, without exception.

  • To help you understand this 2FA’s process, NIST presents a simple primer entitled: Back to basics: Multi-factor authentication (MFA).
  • Further, it serves well to have a copy of ISO/IEC 27001:2013 – Information Security Management System – Requirements. The standard’s requirements are generic and suitable to apply to all organizations regardless of type, size, and nature. They specify how to establish best, implement, maintain, and continually improve your organization’s Information Security Management System (ISMS). More importantly, it provides assessment and treatment methods to tailor information security risks to the organization’s needs. To help implement Item 1, see the following requirements in ISO/IEC 27001:2013:
    • A.9.1.1 – Access control policy
      A.10.1.1 – Policy on the use of cryptographic controls
      A.11.2.9 – Clear desk and clear screen policy
      A.14.1.1 – Information security requirements analysis and specification
      A.14.1.2 – Securing application services on public networks
      A.14.1.3 – Protecting application services transactions
      A.14.2.5 – Secure system engineering principles
    • A.9.1.2 – Access to networks and networks services
      A.13.1.2 – Security of network services
      A.13.1.3 – Segregation in networks
      A.13.2.3 – Electronic messaging
    • A.9.4.2 – Secure log-on procedures
      A.9.4.4 – Use of privileged utility programs
    • A.11.1.2 – Physical entry controls

2. Most importantly, it is critical that you utilized access control to manage who gets access to what data.

  • Consider ISO/IEC 29146:2016 — A Framework for Identity Management. It defines and establishes a Framework for Access Management (FAM) with pointers for the secure management of the processes to access information and Information and Communications Technologies (ICT) resources.
  • Organizations should implement Zero Trust architecture; this network segmentation approach allows an organization to adopt a “verify all” approach to data access.

3. Use encryption to protect data at rest and in the transfer.

4. Enable access to secure, automatic and always encrypted backups (keep Items 1, 2, and 3 in mind).

5. Restrictively manage your vendors and partners accessing your systems.

6. Be sure to develop and implement a well-exercised disaster recovery and continuity of operations plans, and more importantly make sure it includes an alternate location to deliver.

7. Engage cybersecurity frameworks and other regulatory controls to manage and monitor systems.


Understanding The Implications Cyberwarfare Has On Your…, (accessed February 02, 2019).