Monthly Archives: April 2017

The failure of the missile launch made the North Korea may have been thwarted by a cyber attack powered by the US Cyber Command.

The crisis between the US and North Korea is increasing, Donald Trump warns his military may ‘have no choice’ to strike the rogue state.

According to The Sun, US cyber soldiers may have hacked the control system of the rocket causing the failure of the launch.

The nuclear test ballistic missile exploded within five seconds of the launch, according to the newspaper the US agents have used a stealth malware that caused a massive malfunction.

The launch occurred from near the port city of Sinpo, Kim Jong-un ordered it defiance of President Trump sending a naval task force to the region.

The US naval force in the area, led by the aircraft carrier USS Carl Vinson, is equipped with rockets capable of intercepting missiles, but they were not deployed.

It was a medium-range ballistic rocket, likely a Nodong, the experts highlighted that North Korea is forced to import the high-tech electronics used in its missiles, so it is likely that US hackers compromised the supply chain implanting an undetectable malware.

According to some experts, North Korea is vulnerable to cyber attacks because its scientists have to import electronic hardware.

The experts believe that US cyber units may have detected the launch and sent the instructions to the malware via satellite from the US National Security Agency headquarters in Maryland.

Source; The Sun

Fantasy or reality?

A similar attack requests a huge effort in terms of HUMINT and technical activities, but it is perfectly feasible.

“It is perfectly feasible the US brought down this missile.” said Defence analyst Paul Beaver.

“Their cyber warfare capabilities are now highly advanced.

“As soon as military satellites watching Sinpo detected an imminent launch, a team at the National Security Agency would have got to work.”

“It’s possible for them to have sent a signal directly to the missile from Maryland which effectively zapped it out of the sky.”

“North Korea has had a string of launch failures and it may be no coincidence that they have happened as the US went to cyber war.”

President Trump did not comment the Kim’s missile failure.

Analysts believe that Kim will punish military commanders involved in the failed operation.

Kim has a history of punishing failure with terrible retribution, including executing his own officials with anti-aircraft guns.

Giving a look at the North Korea’s military programme we can notice a long series of technical failures, a part of the intelligence community attribute the incident to cyber attacks powered by the US Cyber Command.

Other ballistic tests failed in the last weeks, medium-range North Korean rockets crashed and exploded.

“Last year a Musudan missile fired to mark the anniversary of the birth of Kim’s grandfather Kim Il-sung blew up so soon after take-off it wrecked its launcher.” reported The Sun.

“In November 2015 an attempt to launch a ballistic missile from a submarine ended in failure when the weapon disintegrated under­water.”

“There are many things that can go wrong but it would be impossible to tell from outside if something had affected the internal guidance or control systems.” said Defence analyst Lance Gatling

“It has been openly mentioned that there is a possibility that the North’s supply chain for components has been deliberately infected, and they might never know.”

via:   securityaffairs

The company’s new Hire portal is online but not yet functional.

Google has a new job listings site coming online soon, adding yet another site you’ll need to upload your resume to. You can even visit the Google Hire site now, though it won’t let you sign in, yet. According to Axios, Hire will enable companies to post job listings and individuals to search for and find their next job.

Details are rather sparse, but there are already privacy concerns with the public-facing new site, which asks users to sign in with their personal Google account. There have been some speculation (as yet unfounded) that this would allow potential employers to see your entire search history. According to the Daily Mail, Google has denied these claims. We’ve reached out to Google for comment.

Google isn’t the first big company to jump into the job-recruitment arena. Facebook started rolling out support for job listings this past February. Google is facing a pretty crowded market of established players like LinkedIn, Glassdoor and Monster. To succeed, it will need to bring something different and better to the table.

via:  engadget

The FBI issued Private Industry Notification 170322-001 to smaller heath care offices about how cybercriminals are using an old method involving an FTP server to gain access to personally identifiable information (PII) about patients. The notification was launched March 22, 2017.

The warning focused on the file transfer protocol (FTP), an early way to share files remotely over the internet. Client programs would directly access servers that understood FTP and exfiltrate requested files. This method was largely made obsolete by more convenient file transfer methods.

However, the FBI cited 2015 research from the University of Michigan, which stated that 1 million FTP servers have been configured to allow anonymous access. And last year, security researcher Minxomat found about 800,000 anonymous FTP services were exposed, Network World noted.

Accessing Information With an FTP Server

Anonymous FTP, as it is called, does not require any authentication before granting access to the files on the system. It has long been recommended that a server with this service host only public files.

But smaller health care offices may use older, less sophisticated systems that could have been either misconfigured or not properly maintained. These offices may also have a limited understanding of what required routine maintenance entails; they could have anonymous FTP enabled by default, as opposed to a larger provider that has upgraded and tweaked its system.

The FBI warned that although the PII on these less sophisticated systems is of value, cybercriminals may just want the network access to carry out their own plans. While the personal health information (PHI) stored on these systems is protected by HIPAA statute and could be used maliciously by bad actors, it’s not the only issue associated with anonymous FTP.

Bad actors could warehouse the files used in malware distribution schemes in these convenient FTP silos, for example. Using these compromised systems in some distributed denial-of-service (DDoS) attacks might be expected as well.

Peter Merkulov, vice president of product strategy and technology alliances for Globalscape, told CSO Online that he doesn’t even use non-anonymous FTP, since it is so dangerous and dated. He doesn’t see it used much these days, and if he does, it is usually an out-of-date implementation — such as a larger office whose forgotten implementation remains up because it just was never removed.

FBI Recommendations

The FBI recommended that health care entities contact their respective IT services personnel to scan office networks for anonymous FTP servers. Should the office have a legitimate use for operating a FTP server in anonymous mode, administrators must ensure that sensitive PHI or PII will not be stored on the server. If the FTP server is not needed, then the prudent course of action would be to shut it down so it can’t be used to create an attack vector.

via:   securityintelligence

Fraudsters have designed a new LinkedIn scam that uses phishing emails and a fake website to trick job seekers into handing over their CVs.

The scam begins when a user receives a phishing email disguised as a LinkedIn email. In their message, the fraudsters inform the recipient that a company is “urgently seeking for immediate employment” in their region. They urge them to upload their CV to take advantage of the opportunity.

Source: Heimdal Security

Aside from creating a sense of urgency, there’s plenty of factors that give this email away as a fake. The email should originate from “LinkedIn” at a legitimate “@linkedin.com” email address. Instead, it comes from “linkedin messages” at the email address info@serv1[dot]cyber-net[dot]bid. (The top-level domain “.bid” mostly designates websites hosting online auctions.) The email also doesn’t properly incorporate other design elements like a footer or connection suggestions that are found in actual LinkedIn emails.

Clicking on the URL or the “Upload Your CV Here” button leads to https://linkedinjobs[dot]jimbo[dot]com, which as of this writing bears a 0/64 Virus Total rating.

Located at that site is a web page that provides visitors with the option of submitting their CVs.

Source: Heimdal Security

It’s not a good idea to upload your CV to an unfamiliar website. Heimdal Security junior security evangelist Paul Cucu explains why in a blog post:

“Your CV contains a wealth of personal data which a cybercriminal uses to make a profit at your expense. Phone numbers can be sold for companies doing promotional cold calling. Or, the cybercriminal might call you himself in a vishing attack. In other cases, he might use the information for identity theft, using the companies you worked at or attached references as a cover for fraudulent activities.”

Cucu goes on to note the fraudsters can also use people’s CVs to conduct spear-phishing (and whaling) attacks or to perpetrate other common LinkedIn scams.

To protect themselves against these types of schemes, users should confirm the sender and search for other suspicious indicators before they click on a email link. They should also verify a domain before they upload their personal information to a website.

via: tripwire

Do you know who has access to your organization’s network? Are you confident that all the users on your network are authorized to access your systems, and have a good idea of what devices have been connected to your firm’s systems?

If so, good for you.

But not all organizations have such tight control over who gains access to their IT infrastructure. One place, however, where you might hope that access would be tightly policed would be in a prison…

However, the Ohio Inspector General’s Office has just published a report revealing that two prison inmates were able to hide their own self-built PCs in the ceiling of a training room *and* connect them to the Marion Correctional Institution’s network.

Prison staff found the PCs back in 2015, but the security breach has only now been made public with the Inspector General’s investigation into the incident.

The first hint for prison authorities that something out-of-the-ordinary was occurring popped up in July 2015, when a security product sent an email alert to IT staff warning that a contractor’s PC connected to the Ohio Department of Rehabilitation and Correction’s (ODRC) network had exceeded its daily internet access quota.

Which was odd, because the contractor in question – Randy Canterbury – only worked Monday through Thursday. And the alert triggered on Friday, July 3 2015.

Two weeks later on Friday July 17, 2015, another alert appeared, again linked to Randy Canterbury’s account, and this time associated with attempts to access proxy avoidance websites.

Deeper investigation identified the computer’s IP address, and that it was unauthorized because its name fell outside of the six numbers assigned to known computers in the PC training area.

Carl Brady, who was responsible for IT support at the institution, takes up the story:

I had been told there was a PC on our network that was being used to try and hack through the proxy servers. They narrowed the search area down to the switch in P3 and the PC was connected to port 16. I was able to follow the cable from the switch to a closet in the small training room. When I removed the ceiling tiles I found two PCs hidden in the ceiling on 2 pieces of plywood.

Lax supervision is being blamed for the inmates’ ability to build computers from parts, sneak them past security checks and hide them in the ceiling.

The inmates were also able to run cables which connected the computers to the prison network without being noticed.

“It surprised me that the inmates had the ability to not only connect these computers to the state’s network but had the ability to build these computers,” Ohio Inspector General Randall J. Meyer told local media. “They were able to travel through the institution more than 1,100 feet without being checked by security through several check points, and not a single correction’s staff member stopped them from transporting these computers into the administrative portion of the building. It’s almost if it’s an episode of Hogan’s Heroes.”

Certainly the inmates’ usage of the computers was audacious, not limiting themselves to downloading software, pornography and guides for making drugs and explosives, but also stealing the identity of another prisoner and submitting fake credit card applications and committing tax fraud.

In all, five inmates have been identified as linked to the hidden computers and moved to other institutions.

If this could happen in a prison where you expect security to be strict, you have to recognize that similar breaches could happen in your own organization. It’s clear, for instance, that the prisoners would have had a much more difficult time pulling off their scheme if they had not managed to ascertain the password of a legitimate contractor – albeit one who didn’t work on Fridays.

via:  tripwire

As many as 93% of employees think their company should be legally bound to offer cybersecurity training, yet over half haven’t received any help in the past year, according to FutureLearn.

The social learning platform polled almost 500 employed users of its platform and found that while the vast majority (85%) use email for work, an increasing number also need to use social media (30%), cloud collaboration and storage platforms (45%) and online portals for managing staff and/or customer data (36%).

Over half (57%) claimed they hadn’t received any cybersecurity training in the past 12 months, leaving the organization more exposed to unauthorized access attempts.

Many respondents claimed their employer does provide guidance and has policies on things like data handling, internet security, encryption and password management, yet only 58% said they were confident about keeping the corporate network secure.

The top five skills respondents want to learn are: how to recover from breaches (59%); identifying malware types (57%); how to check if a firm has had a breach (54%); safe storage and handling of customer data (53%) and website safety.

FutureLearn’s Stephen Somerville argued that with the GDPR set to impose massive fines for firms who fail to adequately protect customer data, the stakes have been raised significantly.

“It’s no surprise that organizations who take the threat of cyber-attacks seriously want to educate employees in order to avoid a data breach and the associated potential fines of €20 million or 4% of global annual turnover”, he added.

Cybersecurity training programs are often overlooked by employers in favor of technology investments.

This is especially true among smaller businesses, where budgets are tighter.

A recent poll of 250 UK SMEs by insurer CFC Underwriting found that more than a quarter (27%) still don’t train their employees in cyber-awareness, despite a 78% rise in claims from 2015 to 2016.

That could be set to change, however, with some estimates claiming the training market could be worth as much as $10bn by 2027.

via:  infosecurity-magazine

Germany’s interior minister is calling for a rules change that would allow for its cyber-forces to proactively attack foreign hackers and servers.

Such a capability could be used against those targeting critical infrastructure, said Minister Thomas de Maiziere, in an interview with German outlet ARD and reported by Bloomberg.

He called for the drafting of new legislation that would make it legal to carry out first-strike activity in the instance of a clear and present danger. Germany’s armed forces already were adding a cyber-defense unit last week that by July will have a staff of 13,500, dedicated to defending against online attacks. New legislation would expand the scope of that operation.

“We need international rules, as well as in Germany, that aside from allowing protection and defense, will enable the tracing of and, if needed, the elimination of a foreign server,” De Maiziere said. He said that he hopes the decision will come shortly after the country’s upcoming federal elections in September.

The news comes amid growing concern that Russia may meddle with those elections, as it is suspected to have done in the United States.

Wolfgang Bosbach, a senior MP in Chancellor Angela Merkel’s conservative CDU party, said late last year that “there is a general danger—for the Bundestag 2017 election too—of influence-peddling via targeted infiltration from outside, with the goal of manipulating facts or opinions.”

via:  infosecurity-magazine

Over the last year, the number of mobile phones overtook the world population. In countries like the United States, mobile subscribers outnumbered traditional landline users and half of Americans shifted to mobile-only to communicate. In modern smart cities, wireless-only buildings are becoming the new construction standard for homes, factories, and organizations in general. Landline phones are going away—sooner rather than later.

While telephone scams seem like old-school hacking techniques, phones—particularly mobiles—still play important roles for both users and organizations. Just like how business email accounts are targeted by spear-phishing, corporate phones are now targeted by cyber-criminals conducting socially-engineered attacks.

For example, users unknowingly publicize their corporate phone number (for example, in social media sites), and fall victim to fraudsters who collect targeted numbers from these readily-available sources. These same attackers carry out attacks using social engineering, thus bypassing normal protection mechanisms that network traffic and emails possess. In this research, we highlighted the current issues we observed with mobile telephony and the risks they pose for organizations world-wide.

While telephone denial-of-service attacks and robocalls (one-ring calls) are both known and simply considered an annoyance, we looked into more sophisticated attacks conducted over mobile phones, mainly in the form of manual and socially-engineered calls. To this end, our Forward-Looking Threat Research (FTR) team (in collaboration with New York University, Singapore Management University, and Georgia Institute of Technology) recently deployed a mobile telephony honeypot (mobipot) to investigate cellular threats and the cybercrime ecosystem. We wanted to learn not only how these wireless-only attacks are conducted, but also how the cyber-criminals are organized.

Mobipot was configured with honeycards (SIM cards controlled by the researchers] that recorded attacks delivered in the form of calls and messages.) The numbers of these honeycards were seeded to potential miscreants with multiple techniques, including running mobile malware that leaked the numbers stored in a test phone’s contact list.

Figure 1 summarizes the architecture of Mobipot, and Figure 2 shows the hardware setup.

Figure 1. Mobipot architecture

Figure 2. Mobipot hardware

Over a seven-month period, the researchers collected 1,021 messages from 215 senders and 634 voice calls from 413 callers. Over 80% of them were unsolicited, comprising of threats like scam, fraud, voice phishing and, targeted attacks.

Most of these calls and texts were carried out during business hours. This confirms that cybercriminals blend in with normal telephone traffic to appear legitimate. Fraudsters also used GSM proxies and VoIP technologies to mask and spoof their origin numbers. As a result, traditional detection techniques based on blacklists are less effective and new techniques taking into account contextual information are needed. This is where our work comes in.

Scams and Spam

Delivered in the form of automated calls and messages, scams and spam represented 65% of the unsolicited traffic. Mobipot was targeted with messages offering ring tones, mobile plans, online services and games, and other sorts of commercials and ads. Some interesting examples include:

• Private investigators offering shadowing and surveillance services
• Hacking services like accessing personal emails and spying on users.
• Trading of illicit goods like stolen credit cards, hijacked payments accounts, PayPal with verified balances, and invoices in different amounts and formats
• Political propaganda: “I wish you a New Year of health and peace. I called to tell you that the Chinese disasters continued. How we will be able to not spend money? […] Love to the Chinese Communist Party. In our program, we want to reform the land […]”

Fraud

Fraud was usually manually initiated by fraudsters who used social engineering to lure their victims into performing money transfers. Multi-stage attacks were often employed, with attackers repeatedly contacting the same victim first via a phone call and later by text message. These would ask the would-be victim about the status of a payment. The fraudsters making these calls pretended to be banks, non-profit associations, or friends.

For example, some fraudsters pretended to be one of the honeycards’ mobile providers. They “informed” us that the contract was going to be suspended because the bill was not paid—payment information was sent within the day. In another example, the fraudsters impersonated a corporate postal service and requested a fee to release a parcel detained in customs.

Mobipot also looked into a case where fraudsters asked for the user’s private information such as the spelling of his name, the password associated with a specific account, or his personal IM number and account.

The diagram below shows the connections between our honeycards and some of the numbers that were used to conduct attacks. The squares represent our honeycards (with the method used to seed their numbers to attackers inside). Each circle represents a separate attack, with the number inside showing how many numbers were used. Note that in several cases, multiple campaigns were run by the same attacker (connections between small circles). Most of our honeycards were targeted by different attacks as well.

Figure 3. Connections between campaigns and honeycards

Potential Solutions

Solving this problem requires focusing both on the human aspect of this problem, as well as technical aspects.

Our research shows that there is some risk to making one’s phone number freely known to the public. Employees, particularly those in sensitive roles in a company, should be made aware of these risks. For some, not giving out contact information may be desirable. For others, perhaps a complete separation of their personal and work devices—including the numbers used—may be a good idea.

Whether one’s official number is shared or not, employees should be trained how to handle unsolicited phone calls. Good security training today already includes how to handle unsolicited emails—i.e., the identity of the sender should be confirmed, any instructions contained in the emails should be verified. These practices are already a part of defending against Business Email Compromise (BEC) schemes; the same logic can (and should) be applied to phone calls and text messages. If necessary, these decisions can be made part of an organization’s policies and enforced accordingly.

On the other hand, technical solutions also exist. Incoming calls can be filtered by security products, such as Trend Micro Mobile Security for Android. This provides an additional tool to help users manage the calls they receive on their devices.

Conclusion

Our research shows once again how cybercrime rapidly adapts to a changing world. Fraudsters recognize how mobile phones play an important part in the normal life of millions, and have found different ways to abuse mobile phones to conduct sophisticated and effective social engineering attacks.

In a scenario where organized crime and targeted attacks are becoming more frequent, the mobile devices of employees can now be considered a threat to their organizations. Mobile telephone honeypots allow our researchers to uncover new aspects of these threats.

We initially made our work public during the 11th ACM Asia Conference on Computer and Communications Security conference in Xi’an, China, with the details in our paper titled MobiPot: Understanding Mobile Telephony Threats with Honeycards. Trendmicro recently presented a follow-up to this, concentrating on Asia-specific findings, at Black Hat Asia 2017 titled Mobile Telephony Threats in Asia.

via:  trendmicro

Laws are often passed when a situation becomes so dire that legislators feel the need to step in and apply some teeth. And when it comes to combating cybersecurity incidents, there seems to be no shortage of global legislative and regulatory reaction to the ongoing procession of headline-grabbing data breaches and attacks affecting organizations around the world. Major security events have been occurring for more than a decade, but as global connectivity and reliance on IT systems rises, the perilous consequences of these incidents continue to expand.

Here is a breakdown of five measures – two in the United States, one in the European Union, one in Australia and one in China – that are likely to impact you in the not-too-distant future, if they haven’t already. Get your compliance and legal teams ready.

1) New York State Department of Financial Services Regulation (23 NYCRR 500)

Current status: Effective as of March 1, but full compliance not required for 18 months

What’s it all about? New York state enacted a prescriptive law affecting banks and insurers (with greater than 10 employees) doing business within its borders. With New York serving as a primary hub for global finance, the requirements are certain to have ripple effects around the world.

In addition, the regulation is expected to serve as a model for other states, much like California’s trailblazing S.B. 1386 did data for data breach notifications. Among other provisions, the New York state law requires that “covered entities”:

• Designate a CISO (who can be employed by an affiliate or third-party provider).
• Conduct a periodic risk assessment, including of outside vendors, which are the sources of a growing number of breaches. For example, law firms. 
• Detect security events.
• Perform annual penetration testing and bi-annual vulnerability assessments of information systems.
• Ensure secure development practices for application development.
• Restrict and review user access privileges to only those systems that access non-public information.
• Limit data retention.  
• Establish a written incident response plan. 
• Use “qualified” security personnel, which can include third-party providers, to manage risks and core security functions.

What’s next? Covered entities also are required to attest to annual compliance. More details can be found here (PDF).

2) The European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

Current status: Becomes law May 2018

What’s it all about? The goal of the regulation, which affects all businesses operating in the EU, is to harmonize data protection laws across the 28 member states and “make Europe fit for the digital age.” The GDPR aims to “give citizens back control over of their personal data, and to simplify the regulatory environment for business.” The regulation will place a clear onus on businesses that collect and manage the personal information of EU citizens to protect that information from misuse.

What’s next? Businesses are racing to comply with the new regulation – or risk being sued.

3) The Cybersecurity Disclosure Act of 2017 (S. 536)

Current status: Introduced in the U.S. Senate

What’s it all about? We all know the security skills shortage is an issue for IT departments. But did you know the conundrum also extends to boards of directors? New proposed legislation from Democratic Sen. Mark Warner of Virginia would require boards of directors at public firms to disclose to the Securities and Exchange Commission if one of their members has security expertise. If they are unable to disclose that, they must explain how they are compensating for this shortcoming. Consumer advocates have reportedly voiced support for the measure as calls for boardroom accountability on security issues grows.

What’s next? This one has far less certainty than the others included in this list. The bill is expected to come up for a vote at an undetermined date.

4) Privacy Amendment (Notifiable Data Breaches) Bill 2016

Current status: Passed both houses of the Parliament of Australia in February, expected to take effect in February 2018

What’s it all about? Organizations will be required to notify the Australian privacy and information commissioner if they experience a breach and affected individuals are at “risk of serious harm” due to the disclosure of sensitive data.

What’s next? This bill has been many years in the works, but now organizations must study the measure and prepare for what, when and how they would disclose in the event of a breach. More details can be found here.

5) The People’s Republic of China Cybersecurity Law

Current status: Adopted last year, expected to take effect June 1

What’s it all about? All eyes are on this measure, as many governments and corporations don’t quite know what to expect when it takes hold. Specifically the law calls for critical infrastructure protection under the guise of national security, but it has been met with strong foreign opposition and confusion from companies and human rights groups – mainly over fears of further internet regulation and concerns that businesses that operate in the country will be forced to turn over sensitive information for storage in mainland China. The law is unofficially translated to English here.

What’s next? The compliance groups at global companies are diligently working to determine how they can meet the new law.

via:  trustwave

Information Security Policies, or more accurately; Policies, Standards, & Procedures (a Policy Set) are the cornerstone of every security program. It is therefore rather odd, that not one client I have ever helped started with any of them in place. While not everyone is a security expert, everyone can be security savvy enough if, and ONLY if, what they are supposed to do is written down!

That’s what a good Policy Set is; an instruction manual on what to do, what not to do, why, and how.

I have written too many many times on why a good Policy Set is important, and have used the term ‘baseline’ more times than I’ve had hot dinners. I have described what a Policy Set consists of, and even how to manage one, but what I have not do up till now was to describe how to find a Policy Set that’s right for your business.

First, you may be wondering what’s so hard about finding policies. And I agree; type “information security policy example” into Google and you’ll get tens of millions of hits. Universities readily publish theirs for the world to see (e.g University of Bristol), and a whole host of organizations even make editable versions freely available. On top of that, online services with ridiculous promises like “THE ONLY WAY TO GET AN INFORMATION SECURITY POLICY CUSTOMIZED FOR YOU IN AN HOUR, GUARANTEED.” are depressingly common.

The challenge is that if you’re looking for information security policies in this fashion you clearly have no experience implementing them, let alone actually writing one yourself. An overly-dramatic analogy; I found thousands of instructions on emergency appendectomies, would you now trust me to perform one on you? A good Policy Set is one that is appropriate to your business. Not your industry sector, not the prevailing regulatory requirement, your business!

Therefore, if you don’t have security expertise in-house, it is very unlikely that you know the right questions to asks providers of Policy Sets. The vast majority of vendors will sell you what you ask for (can’t really blame them for this), so ensuring you get what you actually need is entirely based on the homework you performed beforehand.

To that end I have written something vaguely resembling a white paper to help you. In the imaginatively named ‘Choosing the Right Policy Set‘ I have broken the choosing of a policy set vendor into 15 Questions. These could easily form the core of an RFI or RFP if you were taking this seriously enough.

Simple questions like; “Can you provide a Document Management Standard and Procedure?” or “Does your service include a mapping of policy statements to the PCI DSS?” are sometimes not even considered. But when you consider that the choosing of a policy set can be the difference between compliance and non-compliance, it makes sense to ask them. Up front!

90% of organization will end up either throwing something together themselves, or buying the cheapest option available. That’s fine, when regulatory fines start getting handed out they will realize just how expensive their choice was.

via:  davidfroud