Technology

Emily Crose is a network security professional with a background in Intelligence and surveillance technologies. She is also an advocate for trans inclusion, including the care and education of transgender children. Her home life consists of being a wife to her wife, and co-mothering her two children.

If you had to choose one event that led you to work in information security, what would it be and why?

 Emily Crose: I always had a vision of myself working for the US intelligence community. In many ways it was my dream to work as a spy, but life, as it sometimes does, brought me back down to Earth with my expectations for my own future. I was going to school to teach History, and I remember having the distinct feeling in my second year that I would rather be a part of history then just be one of the people talking about how other people made history. I changed my major and the rest is history!

Why do you like working in the information security environment?

Emily Crose: It’s a fast paced career path. Being technical means that you always have to keep up with the latest trends and the greater market as it ebbs and flows. Information networks are a space where every level of society is represented in one form or another, and it’s in this space that people find different ways to manipulate, use, and abuse the rules in order to move information from one place to another. I want to be right in the middle of all of that.

If a n00b to the infosec world asked you for a piece of advice, what would it be?

Emily Crose: Start with the basics. Don’t ever forget the foundations that the greater systems of information networks are built on top of and don’t let your ego get so large that you think you have all the answers. Don’t ever let yourself think you’re too smart to be outsmarted.

What is the most important issue facing professionals in the information security landscape today? Why?

Emily Crose: Honestly, the most pervasive issue I’ve noticed among infosec practitioners that transcends all identities regardless of age, race, gender, etc. is imposter syndrome. I don’t know what it is about this industry that causes so many of us to feel like we aren’t worthy of a place amongst our peers, but I’be seen people suffer from this no matter how much success they’ve achieved in their lives. On an individual level, we as professionals in this field need to find a collective confidence and use it constructively. Those who aren’t confident in infosec can find ourselves getting lost in a sea of doubt, and every moment’s hesitation when the heat is on invites a worsening situation.

What is the most important issue facing consumers in the information security landscape today? Why?

Emily Crose: Complacency. Consumers have become so desensitized to the loss of personal information including credit card and social security numbers that the effect it has on our collective psyche at this point is sub %0. That may be a side-effect of the frequency of large-scale breaches and the perception that there’s little to nothing that a consumer can do for themselves to protect their information, but the end result means that lapses in security by major corporations will continue to go unpunished.

What are your three “guilty pleasures” that have nothing to do with information security?

Emily Crose:

– Video games

– Cheap wine

– Young Adult novels

What’s your favorite book-to-movie adaptation and why?

Emily Crose: One of my favorites is the movie Argo. Being familiar with the story of the exfiltration of American diplomats from Iran during the Iranian Revolution before I saw the movie, It was fun to see history come alive the way it did in the movie. Having said that, The historical accuracy of the movie is OK, but has a lot of bits that weren’t quite right even between the way the book and the movie each portrayed the events.

In the spaces where Meltdown, Spectre, and compliance overlap, organizations may be able to find some peace of mind to keep the death knell from ringing over information security.

What Are Meltdown and Spectre?

 
Meltdown and Spectre are fundamental flaws in your computer’s processing chips. Unlike software vulnerabilities, hardware exploits pose a nearly unfixable problem. Since most computers and mobile devices use these processing chips, almost every technological item is compromised. Each of these presents a slightly different problem so understanding what those issues are can help you protect yourself and organization as much as possible.
 
Password managers in browsers and running programs normally have functionality protecting stored data. For example, most internet security protocols incorporate antivirus software and network firewalls. These focus on hackers being able to get through software vulnerabilities. Hardware vulnerabilities engage different computer hacking skills and lead to different IT security issues.

Spectre

 
Spectre impacts more types of processing chips than Meltdown making it harder to combat, but it is also more complex an exploit making it less likely to occur.
 
Imagine a really complex maze. When you start to solve the puzzle, there are many different options for you. Your computer’s memory is similar. In order to speed up information flow, processors make different levels, or branches, of data similar to the branches in a maze. Your computer then guesses, based on the information you’ve accessed in the past the branch of memory where the data you need to access is stored.
 
Spectre uses these branches of the memory maze to guess the location of your passwords and private data. Just like in a maze where one branch is blocked from another, your computer segregates your private and program information from one another. Spectre takes educated guesses as to which branch of the data maze your login information lives and when wrong, backtracks and tries again.
 

Meltdown

 
Meltdown acts differently. Computer security functions predominantly by separating information within the operating system. Think about it as editing a video. First, you take the original video. Then, you use a video editor to splice out the stuff you don’t want. Then you have a final video edit. This totally makes sense in a linear fashion.
 
Computers work similarly. Your password information, like your original video, gets saved in one place as a foundation. However, when your programs talk back and forth, they create temporary files that are then cached and later cleaned out, like what happens during an autosave as you work on splicing. When you finish the splicing, a bunch of temporary information gets deleted. This is the cached temporary files. The information you might want to keep then goes into your final video edit.
 
If you skip this order, then your information gets confused. Meltdown uses what’s called an “out-of-order” command. This basically scrambles small bits of information that make sense to your computer but changes the order in which the information is moved around. Think as though someone takes two milliseconds of the end of your video and moves it to the middle. Now, assume that as part of that two milliseconds they also embed a subliminal message. It would be just enough to scramble the information flow but not enough to ruin the audience experience. However, it also co-opts the message you were trying to send in your video.
 
Meltdown does something similar. By creating the “out-of-order” command, it moves information in a sneaky way that interrupts your computer’s information sharing routine but not even for it to shutdown the device. Then it changes the message which coopts the data.
 

How are the Meltdown and Spectre Vulnerabilities Different from a Computer Virus?

Unlike malware, which infects your computer using the internet, Meltdown and Spectre require physical access to the impacted devices which usually means a USB hack.
 
Traditional software exploits target internet security meaning that your network security, such as firewall software, help protect your organization. In this case, however, traditional antivirus software may not work, even if you do the patches required. With Meltdown and Spectre, the IT security protection requires ensuring that the registries impacted are included in the patch update.
 
Securing the physical environment rather than the electronic environment is more important to protect against these threats. Organizations may want to focus on authorizations and password management to protect devices.
 

What are the Cybersecurity Implications of Meltdown and Spectre?

The long term cybersecurity implications of Meltdown and Spectre will mean replacing hardware slowly over time as the core processors fix the inherent problem. Experts currently assume this can take at least a software generation, maybe two, so the ongoing issues will need to be monitored.
 
While the release of these papers indicates a significant issue, the c-suite can rest a bit easier recognizing that none of these exploits are entirely new. An August 2017 CSO Online article shared an NSA hack to disable the Intel Management Engine interface. As recently as November 2017, Intel created a patch for its Intel Management Engine flaws. Additionally, several companies were focusing on selling computers wherein the Intel Management Engine had been disabled.
 
Experts have recognized these vulnerabilities for a while and been concerned. The Spectre and Meltdown papers simply qualify and quantify these risks which will force front end production changes in the long term.
 

Where Do Meltdown, Spectre, and Compliance Overlap?

Protecting against Meltdown and Spectre requires constant vigilance over your IT environment. This means being up to date with critical software updates as well as password management protocols.
 
In addition, vendor management policies and contractual privacy agreements require even greater due diligence. Understanding who has access to your physical equipment is just as important as how your data cloud is controlled.
 
Moreover, since this impacts processing chips used by large cloud service providers, you need to make sure that you follow their updates as well to ensure your own data protection. If you use Google or AWS, you want to monitor their updates to their own hardware and software.

How Can Automating Compliance Help Protect Against Meltdown and Spectre?

 
Using audit management software for your compliance program protects against these new threats by monitoring your IT landscape continuously.
 
Continuous monitoring and software updates has never been more important than it is right now. Automated SaaS platforms like ZenGRC help organizations review risk and manage compliance by seeing what critical changes need to be made.
 
Compliance is not security, but it is due diligence. With ZenGRC’s comprehensive risk dashboard, you can manage color coded alerts that show your greatest risk responsiblities and the most recent updated critical patches.
 
Setting reminders for quarterly and annual reviews helps ensure that you and your compliance staff are tracking employee authorizations regularly. Understanding updates to password safety also requires ongoing education and monitoring. With a SaaS compliance tool, you can increase the frequency of reviews if you suspect problems within your organization’s privacy and safety protocols.
 
While Meltdown and Spectre will continue to plague the tech industry for a long time, while the bell tolls, compliance may keep it from tolling for thee.
 
To schedule a demo or make an appointment to speak with a GRC expert about how ZenGRC can help protect you from Meltdown and Spectre by strengthening your compliance program, click here.

Leah Figueroa is a 14 year veteran of the data analytics field and works at Gravwell as Lead Data Engineer. She holds a Master’s in Education, almost completed a Ph.D. in research psychology, and has taught kindergarten. A data aficionado, Leah enjoys working in various areas of data, while still remaining passionate about her crusade to improve student data security.  Leah also enjoys being a fiber artist (knitter) and loves cats, InfoSec, picking locks, cooking, and reading.

If you had to choose one event that led you to work in information security, what would it be and why?

Leah Figueroa: I’ve always been interested in the intersection of information security and data analytics. The one thing is when I was working in San Antonio in geriatric research trials. I had gone through all this HIPAA training to make sure data was secure, but I realized people were throwing out so much data or providing access to it without even seeming to care. I knew I had to do something.

Why do you like working in the information security environment?

Leah Figueroa: I love learning, however cliche that might sound, and working in an environment such as this keeps me on my toes. I’m always learning from someone. Infosec is a never-ending set of challenges, which is exciting for me.

If a n00b to the infosec world asked you for a piece of advice, what would it be?

Leah Figueroa: Keep asking questions. Sometimes, I know those questions feel stupid or silly, but in all reality, asking is how we learn. In infosec, the day you stop asking questions is the day you stop learning and that spell disaster.

What is the most important issue facing professionals in the information security landscape today? Why?

Leah Figueroa: Coming to term with biases. There is a distinct lack of color and gender diversity in infosec.  Times are changing, but it is still slow and it negatively impacts anyone who isn’t the standard infosec person. Infosec is young and is still growing. We need to change the landscape now, not in the future, and we need to do so proactively. Bringing in diversity provides creativity and differing points of views and helps foster an environment that supports continuous learning.  Diversity in an ever-evolving landscape ensures you’re ready for the next threat.

What is the most important issue facing consumers in the information security landscape today? Why?

Leah Figueroa: Complacency. So many breaches happen far beyond the control of the customer and many people feel like there is nothing they can do. It seems easier to just throw one’s hands up and just accept what is happening.  But there are so many things individual consumers can do to protect themselves: password managers, following best practices, like immediately changing passwords on consumer grade IoT devices, etc.

What are your three “guilty pleasures” that have nothing to do with information security?

Leah Figueroa: First, it would have to be bad movies. I enjoy thoroughly awful movies (and great ones, too).  Pauline Kale once said “Movies are so rarely great art, that if we cannot appreciate great trash, we have very little reason to be interested in them.” I find that to be true.

Second guilty pleasure would be science fiction – I LOVE science fiction. I’ve been spending time in the worlds built by Nnedi Okorafor lately.

Third, riding would have to be a guilty pleasure. I have an M endorsement and ride as often as I can.  The world on two wheels is a magical place.

What’s your favorite book-to-movie adaptation and why?

Leah Figueroa: Like Water For Chocolate (Como agua para chocolate).  It’s an adaption of the novel of the same name by Laura Esquivel. The movie manages to capture much of the magical realism that makes the novel so satisfying and wonderful.  I’ve read the book and seen the movie many times and it’s always a great indulgence for me. In many Latin cultures, food is a very important part of life (daily life and special events). Growing up as a Cuban American kid in a predominately Mexican American area, this film always reminds me of home and how food culture shapes us.

Dr. Margaret Layton (Meg) has been working in the IT industry for over two decades. In 2001, she joined a start-up company that was acquired by Symantec, and she has since been working in various roles within the company, both on products and working on the intelligence that fuels the front-line responders. She is Director of Engineering for the Cyber Security Services business unit, working with a talented team of software engineers and security professionals building tools for our defenders in cyberspace. Meg has a Doctorate of Information Assurance from the University of Fairfax. She also holds a Master of Science degree in Telecommunications and Computing Management from Polytechnic University in New York, which is now a part of NYU; and a Bachelor’s of Art in Political Science from Albertus Magnus College.  Meg maintains several certifications in the Cyber Security realm that she is passionate about, including both the CISSP and CSSLP certifications from ISC(2), and GIAC certifications for Incident Handling, Forensic Analysis, and Penetration Testing. She is CNSS 4011 and 4012 certified. In her role as Director of Engineering, she also holds Agile certifications. She lives in Virginia with her husband and children, and volunteers as a Technical Mentor for local CyberPatriot organizations, as well as serving as Adjunct Professor for colleges, teaching courses in Information Security, including Computer Forensics and Risk Assessment.

If you had to choose one event that led you to work in information security, what would it be and why?

Meg Layton: There’s probably a couple of different things that led down the path.  When I tell of my start, I often discuss the influence of working in telecom during the dotcom era and working in Africa while learning security.  Security in a developing country is much different than what happens in the U.S.
However, if I had to consider the defining “Here I am and I should stay here” would be the Nimda virus outbreak in 2001. It was what I like to call “the other date in September” that year. I was working in a government facility which was still on severe lockdown. My job was to monitor early versions of SIEM alerting and contact the contractor if I saw anything unusual. There were a lot of delays getting through security in the morning because I forgot that I had my husband’s fishing rods in the van, and metal tubes are suspicious to facilities on lockdown.
I got to my desk, put down my things, checked my screens (it looked fine) and went to get coffee. By the time I returned to the desk, my screen was scrolling through alerts in a ridiculous manner. Because it was a locked down facility, I could only make phone calls.

I called my office. They called a couple of people, and that’s where I found out how collaborative the community really was. By the time the external monitoring service called the facility to “warn of suspicious activity,” we had already removed most of the servers, had an executive briefing, and written rules that would group together and let us know if other infections existed.
A lot of the work that goes on in infosec seems like it is not recognized. But that day, I found the power of smart people working together and making a difference. And plus, I was good at it.

Why do you like working in the information security environment?

Meg Layton: Every day you are solving problems. It isn’t always obvious how, but every day you solve a problem. And in infosec, those problems are often what I tell my kids are “People problems.” Infosec exists because of human traits: desire, doubt, trust, integrity. Human beings are unpredictable and fallible, and all of that is why infosec exists. So there is not always a right answer to a problem, there is just a more secure one or a different way of approaching it. That makes it interesting, every day.

If a n00b to the infosec world asked you for a piece of advice, what would it be?

Meg Layton: Infosec is a wide river, and to get across you need to pick a wave to ride and always learn. The best and most talented people I know in infosec know there is always more to learn. Remember you have to keep learning, since the technology changes so fast you won’t ever get to the “end” and “know everything.” Make mistakes, learn from them, and move on. I guess that was more than a single piece of advice.

What is the most important issue facing professionals in the information security landscape today? Why?

Meg Layton: That’s a hard one because I think there’s a lot. But I think the biggest issue is likely the inability for many professionals to connect their issues with the business needs. The ability to do that will influence investments, regulations, laws, and the future of technology.
I often think of that line from Jurassic Park, “you were so preoccupied with whether you could, you didn’t stop to think if you should.” As we push for agile and faster and more connected, this springs to mind often. How do you articulate how to make things safer in a way that matters not only today, but will matter tomorrow? The infosec professionals better figure it out, and fast.

What is the most important issue facing consumers in the information security landscape today? Why?

Meg Layton: Also hard. Because there is so much facing consumers and so many of them don’t even know it. Probably the biggest issue is understanding the difference between privacy and security combined with  the transparency that organizations provide surrounding these topics. Many consumers are simply unaware, or consider things hard. The stigma needs to change so that the security is accessible and easy to the user so they can have the power to protect themselves.

What are your three “guilty pleasures” that have nothing to do with information security?

Meg Layton: Buffy the Vampire Slayer, because obviously. Musical theater, or really any theater. I often tell folks that my first computer was actually a lighting board, so really theater is why I got into tech. It is not beyond the possibility that I will randomly break into song if I need to. Yay Stage Crew! Third, scrapbooking. I do a lot of preserving of memories and putting pictures on the page kind of soothes me.

What’s your favorite book-to-movie adaptation and why?

Meg Layton: This is tricky. Because I like books so much more than the movies in most cases, and I always have my kids read the books first. What world you enter in your mind when you read is seldom what is created on the screen. So it is going to have to be a toss up, and both because of the sheer talent of the people who created characters: The original Willy Wonka and the Chocolate Factory with Gene Wilder, and the Princess Bride – because, that casting was just genius.

Compliance offers internal stakeholder value even though your stakeholders don’t always see it. Anyone who’s ever been a fan of Calvin and Hobbes cartoons will remember Calvin’s transmogrifier, the cardboard box that magically transforms him into whatever he wants to be. Compliance automation is the way CISOs and CIOs magically transform compliance into internal stakeholder value.
Request a demo today to see how you can transform compliance into internal stakeholder value.

How to Define Stakeholders

Defining your stakeholders is the first step to showing them the value of compliance. You have internal stakeholders as well as external stakeholders. You have high level stakeholders, and you have those who need detailed information.
Internal stakeholders are often the ones you worry about most because they make decisions about your resources. If you provide them with clear information, they will value you more.

ZenGRC offers different levels of information presentation that allow you to give your stakeholders what they need, the way they need it. Being able to decompose your reporting by demographic makes you more effective and helps transform compliance into more than a requirement. Now, you can show your internal and external partners how your value affects them.

Board of Directors

Your Board needs to know the high level vision of your compliance to prove that they have done their due diligence. For companies that need to be SOX compliant, reporting to the Board has legal ramifications as well as business concerns.
With this in mind, you need a compliance tool that offers your Board a quick view of where you’re compliant, how you manage your vendors, and how this relates to the financial bottom line. If you’re currently managing this information on spreadsheets, making this information clear to your Board is time consuming.

ZenGRC offers high level views such as risk heat maps and a system of record dashboard that gives an easy to digest visual showing the percentages of controls finalized and mapped. When your Board wants to know what you’ve been doing to protect the company, this shows them exactly what they need in a way that they’ll understand.

Executives

You know as a member of the c-suite what your cohort needs. However, you’re also the technical one in the group. Your vice presidents, chief financial officers, and chief executive officers don’t need to understand the technical side of compliance. They need you to show them how compliance fits into their corporate strategies.

Your c-suite wants to know their risk, how you’re mitigating it, and how they can turn that into a financial asset. This means they don’t want the details of your definitions of the threats, vulnerabilities, and controls. They want the overview that shows how you’re protecting the organization and how that affects their strategies.

Automated tools allow you to use clean visuals that show the needed metrics. With ZenGRC’s comprehensive dashboard, you can show your c-suite the current risk profile and your controls for those risks. For example, the status bar graph offers your c-suite a color-coded visual of the tasks assigned, in progress, and completed. This provides the metrics needed to inform long-term business decisions.

Senior Management

These are your guys “in the weeds.” They’re helping you do the work to protect your organization. They’re the ones reviewing access logs. They’re the ones creating passwords. They’re the ones training your company’s employees.

These stakeholders need to be able to share information with you and with each other. If you’re collecting their reviews in documents and spreadsheets, you’re putting your information at risk. If two departments use different controls to protect the same asset, you have a compliance problem.

Automation allows you to store information in a single location while offering your internal stakeholders a comprehensive workflow that organizes information. ZenGRC’s tool for compliance increases stakeholder value by allowing your senior managers to see each other’s information so they can streamline their reviews and documentation. More importantly, you get to set access controls. This means that you decide not only what people see but also what they can change. With automation, you can destroy information silos, give people the information needed for their own tasks, and control your program.

Contributors

These stakeholders are everyone else in the organization who need to understand your compliance stance. They can be middle managers, specialists, auditors, or analysts. For example, your sales team may need to understand your vendor management stance to help sell the organization to a client.

With ZenGRC’s platform, your compliance offers stakeholder value by giving you an easy way to share the compliance posture and milestones. If your sales team needs to know your vendor risk tolerance, they can see it. If your business analyst is trying to streamline business processes, they need to see what controls you have in place before implementing a new application, such as payment processing. This means that ZenGRC’s single source of truth can give the information your stakeholders need to do their jobs more efficiently.

Automating Compliance Offers Internal Stakeholder Value

Your internal stakeholders need to know how you’re servicing them. To do that, you have to share information in ways they understand.

ZenGRC is not only easy for your internal stakeholders to use but also provides easy-to-digest information. Request a demo today.