Todd Fitzgerald wrote the books on being a chief information security officer. Here he offers tips on what to do and what not to do in the first few months of a new CISO jo
"Todd Fitzgerald is a builder. An information security leader for more than 20 years (and an IT pro for even longer) he has encountered a common theme in his career: He's the guy who is asked to create programs from scratch.
He started the software life cycle development program in one organization. The data-modeling initiative in another. As he moved from industry to industry, and from one Fortune 500 company to another, he helped launch many organizations' initial security efforts..."
In this Help Net Security podcast, Kevin Sheu, VP Product Marketing and Marcus Hartwig, Senior Product Marketing Manager at Vectra AI, discuss the Vectra superhero survey from Black Hat USA 2019
"The people surveyed were a mix of CISOs, security researchers, security architects, security operations center personnel, and network operations center staff.
Here's a transcript of the podcast for your convenience.
Good morning everybody and welcome to this discussion with a couple of folks from Vectra AI. We're now a couple of weeks out from Black Hat and there are some interesting results that came from it. I felt like this year was different from all the previous years and it's reflected in a survey that we conducted at the Vectra booth this year..."
The common thread: Each acts as a force multiplier, adding value to every other security technology around it
"A few weeks ago, while attending Black Hat 2019, I was invited to participate in a Dark Reading technology panel hosted by editor Tim Wilson. The discussion focused on new types of technologies that can truly improve cybersecurity defenses.
My first instincts were to go with some of the product categories I research daily. For example, I could have described how machine learning algorithms can improve security analytics or vulnerability management..."
With the proliferation of SaaS solutions, API integrations and cloud computing, virtually everything in the modern enterprise is connected to untold number of outside entities
"In fact, many business processes depend on this connectivity, even when doing so broadens the threat landscape and puts the organization at greater risk.
This interconnectedness means that vendor vulnerabilities become your vulnerabilities. For proof, we need look no further than the massive NotPetya attack that took down hundreds of companies in the summer of 2017. What began as a quasi-cyberwarfare attack on the Ukraine crippled everything from global shipping giant Maersk to a hospital in Pennsylvania, causing $10 billion in losses - all essentially collateral damage. The incident brought the risk of vendor security front and center as the ransomware spread like wildfire, even to organizations that had absolutely no connection to the original targets..."
Scammers leveraged artificial intelligence software to mimic the voice of a chief executive and successfully request $243,000.
"Fraudsters are constantly looking for new ways to scam their victims. One unique case gives the security industry a glimpse of what they could do with artificial intelligence (AI) and voice recording.
As part of an incident in March, an attacker called the CEO of a UK-based energy business pretending to be the head of its German parent company. Analysts believe AI-based software was used to impersonate the chief executive's voice, as it had the slight German accent and other qualities the UK CEO recognized in his boss's voice - qualities that led him to believe the call was legitimate. The caller issued an 'urgent' request to the CEO, demanding he transfer $243,000 to a Hungarian supplier within an hour's time.."
Technology is constantly evolving and new threats to online privacy are no different. While many people already take precautions such as using VPNs (Virtual Private Networks) to keep their web browsing private, these are not universal solutions and it is still important to stay on top of new threats when they are discovered
"One vulnerability which VPN users who wish to keep their web browsing private should be aware of is DNS leaking.
DNS leaking can potentially reveal your entire web browsing history to your ISP (Internet Service Provider) and compromise your privacy - even when you are using a VPN. While it is not a cause for concern to VPN users who simply wish to view streaming site content in other countries or take advantage of regional pricing on flight tickets, VPN users who wish to protect their privacy should take precautions to prevent DNS leaking. So what really are DNS leaks - and how do you prevent them?..."
Malicious actors look for accounts that are springboards to other systems, according to nearly 300 attendees of Black Hat USA
"While black hat hackers and IT security professionals operate on different sides of the fence, a survey conducted at Black Hat USA in Las Vegas last month indicates that they concur on one important point: domain administrator and service accounts make tempting targets for attack.
The survey, conducted by Thycotic, included 300 individuals, of which the majority - 80% - identified themselves as security professionals or white hat hackers. The rest self-identified as black hats, grey hats, or "other." Overall, 59% of all of the respondents see domain admin accounts as a highly desirable target while 44% say that service accounts are juicy bullseyes..."
Why aren't passwords secure enough? Over-use? Lack of updating? Simplicity? Ease of Guessing?
"There's an old Popeye cartoon where the famous sailor with massive forearms stands outside a cave that's blocked by a giant boulder, and he yells, 'Open Says-Me.' 'Open sesame' wordplay aside, if only passwords were this simple.
Password security is not a new conversation. Protecting yourself in the digital world is the responsibility of everyone. Popeye and Olive Oyl included, I suppose - though I'm not sure if they ever adapted to the tech revolution..."
The good news is most insider threats derive from negligence, not malicious intent. The bad news is the frequency of negligence is already ahead of where it was in 2018
"When the challenge of battling inside threats arises, it's tempting to dismiss the process as little more than identifying the rogue employee(s), along with reviewing and refining permissions, controls, and authorizations to prevent recurrence. Depending on the industry, some public apologies may need to be made and some regulatory fines may need to be paid.
The good news and the bad news with insider threats? The good news is most insider threats derive from negligence, not malicious intent, as Katie Burnell, global insider threat specialist at security vendor Dtex Systems, explained in a November Dark Reading webinar about the insider threat. The bad news, she said, is the frequency of negligence is already ahead of where it was in 2018..."
See all Archived IT - Security articles
See all articles from this issue