The Risk Management Framework (RMF) is most commonly associated with the NIST SP 800-37 guide for “Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” which has been available for FISMA compliance since 2004. This was the result of a Joint Task Force Transformation Initiative Interagency Working Group; it’s something that every agency of the U.S. government must now abide by and integrate into their processes.

In cryptography, encryption is the process of encoding information or sensitive data so only authorized parties can access it. Encryption does not itself prevent interference and man-in-the-middle attacks, but denies intelligible content to the interceptor.

As we begin our new decade of the 2020s, we can look back at the last 30 odd years and examine the collaboration between technology and our daily lives. If you think of your day-to-day, it’s easy to see how much our society relies on technology. Consider our smart devices such as mobile phones, watches, even homes. However, what about the technology that we don’t see, that gives us clean drinking water, removes wastewater, and keeps our homes warm?

Although it may seem like IT security and cyber security can be used interchangeably, both terms refer to different things. In this article, we will take a closer look at what makes them different. You might have noticed that ‘cyber security’ and ‘IT security’ terms are often used as synonyms. Yet both terms refer to different things, and this slight difference in their meaning might lead to confusion. We aim to discuss how and why they differ in detail.

While countless companies have found themselves in the headlines after being breached over the last decade, there are also many companies we never hear about. Why is that? What makes them so unique that they were never successfully breached before? Is it that they have top of the line security technology? Is it that they don't have assets that attackers care about? Or is it that they've just gotten lucky thus far? None of those common misconceptions are likely the true reason.

In the not-too-distant future, I can clearly see how ISO 27001, SOC 2 and HITRUST certifications could become a diminished, legacy activity, viewed as a rarity left over from marketing efforts to distinguish an organization’s security posture from its competition. Absurd? Unrealistic?

Consider how many times a day you check your mobile phone, smartwatch, smart TV, and/or other connected devices. How normal does it seem to be reaching out to an external source, not actually sure where this information is stored, or even coming from, but that it’s there, accessible and ready to be taken in? Organizations wishing to migrate to a third-party cloud solution (‘the cloud’) need to understand this point well.

A selection of this week’s more interesting vulnerability disclosures and cyber security news. I certainly have some ‘wow’ items for you this week. The first just does not bear thinking about as to the potential impact this breach could have – it really is an horrorfic ‘wow’: We know that BEC fraud schemes hope to take pot luck at a busy employee’s lapse of proceedure, but when they really have you in their eyes, the grip can be just ‘wow’.

In the previous posts of this series, we discussed how you can secure your infrastructure at scale by applying security policies as code to continuously monitor your environment with the Config Validator policy library and Forseti. In this article, we’ll discuss how you can reuse the exact same policies and Terraform Validator to preventively check your infrastructure deployments, and block bad resources from being deployed in Google Cloud Platform (GCP).