Category Archives: CISO

What’s next for cloud backup?

Cloud adoption was already strong heading into 2020. According to a study by O’Reilly, 88% of businesses were using the cloud in some form in January 2020. The global pandemic just accelerated the move to SaaS tools. This seismic shift where businesses live day-to-day means a massive amount of business data is making its way into the cloud. All this data is absolutely critical for core business functions. However, it is all too often mistakenly … More

The post What’s next for cloud backup? appeared first on Help Net Security.

Can automated penetration testing replace humans?

In the past few years, the use of automation in many spheres of cybersecurity has increased dramatically, but penetration testing has remained stubbornly immune to it. While crowdsourced security has evolved as an alternative to penetration testing in the past 10 years, it’s not based on automation but simply throwing more humans at a problem (and in the process, creating its own set of weaknesses). Recently though, tools that can be used to automate penetration … More

The post Can automated penetration testing replace humans? appeared first on Help Net Security.

What the IoT Cybersecurity Improvement Act of 2020 means for the future of connected devices

Connected devices are becoming more ingrained in our daily lives and the burgeoning IoT market is expected to grow to 41.6 billion devices by 2025. As a result of this rapid growth and adoption at the consumer and commercial level, hackers are infiltrating these devices and mounting destructive hacks that put sensitive information and even lives at risk. These attacks and potential dangers have kept security at top of mind for manufacturers, technology companies and … More

The post What the IoT Cybersecurity Improvement Act of 2020 means for the future of connected devices appeared first on Help Net Security.

How to apply data protection best practices to the 2020 presidential election

It’s safe to assume that we need to protect presidential election data, since it’s one of the most critical sets of information available. Not only does it ensure the legitimacy of elections and the democratic process, but also may contain personal information about voters. Given its value and sensitivity, it only makes sense that this data would be a target for cybercriminals looking for some notoriety – or a big ransom payment. In 2016, more … More

The post How to apply data protection best practices to the 2020 presidential election appeared first on Help Net Security.

76% of applications have at least one security flaw

The majority of applications contain at least one security flaw and fixing those flaws typically takes months, a Veracode report reveals. This year’s analysis of 130,000 applications found that it takes about six months for teams to close half the security flaws they find. The report also uncovered some best practices to significantly improve these fix rates. There are some factors that teams have a lot of control over, and those they have very little … More

The post 76% of applications have at least one security flaw appeared first on Help Net Security.

Work from home strategies leave many companies in regulatory limbo

Like most American businesses, middle market companies have been forced to rapidly implement a variety of work-from-home strategies to sustain productivity and keep employees safe during the COVID-19 pandemic. This shift, in most cases, was conducted with little chance for appropriate planning and due diligence. This is especially true in regard to the security and compliance of remote work solutions, such as new cloud platforms, remote access products and outsourced third parties. Many middle market … More

The post Work from home strategies leave many companies in regulatory limbo appeared first on Help Net Security.

MDR service essentials: Market trends and what to look for

Mark Sangster, VP and Industry Security Strategist at eSentire, is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In this interview, he discusses MDR services and the MDR market. What are the essential building blocks of a robust MDR service? Managed Detection and Response (MDR) must combine two elements. The first is an aperture that can collect … More

The post MDR service essentials: Market trends and what to look for appeared first on Help Net Security.

5 tips to reduce the risk of email impersonation attacks

Email attacks have moved past standard phishing and become more targeted over the years. In this article, I will focus on email impersonation attacks, outline why they are dangerous, and provide some tips to help individuals and organizations reduce their risk exposure to impersonation attacks. What are email impersonation attacks? Email impersonation attacks are malicious emails where scammers pretend to be a trusted entity to steal money and sensitive information from victims. The trusted entity … More

The post 5 tips to reduce the risk of email impersonation attacks appeared first on Help Net Security.

Cybersecurity is failing due to ineffective technology

A failing cybersecurity market is contributing to ineffective performance of cybersecurity technology, a Debate Security research reveals. Based on over 100 comprehensive interviews with business and cybersecurity leaders from large enterprises, together with vendors, assessment organizations, government agencies, industry associations and regulators, the research shines a light on why technology vendors are not incentivized to deliver products that are more effective at reducing cyber risk. The report supports the view that efficacy problems in the … More

The post Cybersecurity is failing due to ineffective technology appeared first on Help Net Security.

Moving to the cloud with a security-first, zero trust approach

Many companies tend to jump into the cloud before thinking about security. They may think they’ve thought about security, but when moving to the cloud, the whole concept of security changes. The security model must transform as well. Moving to the cloud and staying secure Most companies maintain a “castle, moat, and drawbridge” attitude to security. They put everything inside the “castle” (datacenter); establish a moat around it, with sharks and alligators, guns on turrets; … More

The post Moving to the cloud with a security-first, zero trust approach appeared first on Help Net Security.

Preventing cybersecurity’s perfect storm

Zerologon might have been cybersecurity’s perfect storm: that moment when multiple conditions collide to create a devastating disaster. Thanks to Secura and Microsoft’s rapid response, it wasn’t. Zerologon scored a perfect 10 CVSS score. Threats rating a perfect 10 are easy to execute and have deep-reaching impact. Fortunately, they aren’t frequent, especially in prominent software brands such as Windows. Still, organizations that perpetually lag when it comes to patching become prime targets for cybercriminals. Flaws … More

The post Preventing cybersecurity’s perfect storm appeared first on Help Net Security.

CISOs split on how to enable remote work

CISOs are conflicted about how their companies can best reposition themselves to address the sudden and rapid shift to remote work caused by the pandemic, a Hysolate research reveals. The story emerging from the data in the study is clear: COVID-19 has accelerated the arrival of the remote-first era. Legacy remote access solutions such as virtual desktop infrastructure (VDI), desktop-as-a-service (DaaS), and virtual private networks (VPN), among others, leave much to be desired in the … More

The post CISOs split on how to enable remote work appeared first on Help Net Security.

Can we trust passwordless authentication?

We are beginning to shift away from what has long been our first and last line of defense: the password. It’s an exciting time. Since the beginning, passwords have aggravated people. Meanwhile, passwords have become the de facto first step in most attacks. Yet I can’t help but think, what will the consequences of our actions be? Intended and unintended consequences Back when overhead cameras came to the express toll routes in Ontario, Canada, it … More

The post Can we trust passwordless authentication? appeared first on Help Net Security.

What is confidential computing? How can you use it?

What is confidential computing? Can it strengthen enterprise security? Sam Lugani, Lead Security PMM, Google Workspace & GCP, answers these and other questions in this Help Net Security interview. How does confidential computing enhance the overall security of a complex enterprise architecture? We’ve all heard about encryption in-transit and at-rest, but as organizations prepare to move their workloads to the cloud, one of the biggest challenges they face is how to process sensitive data while … More

The post What is confidential computing? How can you use it? appeared first on Help Net Security.

Review: Netsparker Enterprise web application scanner

Vulnerability scanners can be a very useful addition to any development or operations process. Since a typical vulnerability scanner needs to detect vulnerabilities in deployed software, they are (generally) not dependent on the language or technology used for the application they are scanning. This often doesn’t make them the top choice for detecting a large number of vulnerabilities or even detecting fickle bugs or business logic issues, but makes them great and very common tools … More

The post Review: Netsparker Enterprise web application scanner appeared first on Help Net Security.

Most cybersecurity pros believe automation will make their jobs easier

Despite 88% of cybersecurity professionals believing automation will make their jobs easier, younger staffers are more concerned that the technology will replace their roles than their veteran counterparts, according to a research by Exabeam. Overall, satisfaction levels continued a 3-year positive trend, with 96% of respondents indicating they are happy with role and responsibilities and 87% reportedly pleased with salary and earnings. Additionally, there was improvement in gender diversity with female respondents increasing from 9% … More

The post Most cybersecurity pros believe automation will make their jobs easier appeared first on Help Net Security.

New research shows risk in healthcare supply chain

Exposures and cybersecurity challenges can turn out to be costly, according to statistics from the US Department of Health and Human Services (HHS), 861 breaches of protected health information have been reported over the last 24 months. New research from RiskRecon and the Cyentia Institute pinpointed risk in third-party healthcare supply chain and showed that healthcare’s high exposure rate indicates that managing a comparatively small Internet footprint is a big challenge for many organizations in … More

The post New research shows risk in healthcare supply chain appeared first on Help Net Security.

Openness and support: Discussions on why diverse representation in cybersecurity matters

Security Stories podcast
Security Stories Podcast

I can honestly say that the two discussions featured in the latest episode of the Security Stories podcast have inspired and motivated me more than anything else has recently.

I really hope that as many people as possible get to listen to this episode. And I’m definitely not just saying that for my podcast stats 🙂

Diversity in cybersecurity discussion

Firstly, I caught up with my co-host Noureen Njoroge, as well as Leticia Gamill, Cisco’s Channel leader for Canada and Latin America, and Matt Watchinski, Vice President of Cisco Talos.

Together, we discuss a crucial topic in cybersecurity: the significance of diverse representation, and what that can do for the industry.

Leticia oversees team members based across seven countries, and is a passionate supporter of diversity in cybersecurity. Last year she created a non-profit called LATAM Women in Cybersecurity to encourage more women in Florida and Latin America to enter the field.

As the leader of Talos, the largest commercial threat intelligence group in the world, Matt oversees all the intelligence activities necessary to support our security products and services that keep customers safe.

Matt is a huge ally for diversity in cybersecurity. Within Talos, he has created a culture and a hiring policy that ensures voices from multiple backgrounds can be heard.

And of course most regular Security Stories listeners already know my co-host Noureen, but just in case this is your first time listening, Noureen is a threat intelligence customer engineer. She’s the founder of Cisco’s global cybersecurity mentoring forum, running mentoring events twice a month.

She’s also the founder of the Mentors and Mentees women in Cybersecurity group on LinkedIn and the president of North Carolina Women in Cybersecurity (WiCyS) Affiliate chapter.

Noureen is listed among the Top 30 Most Admired Minority Professionals in Cybersecurity by SeQure World Magazine, and was recently crowned winner of the Cybersecurity Woman of the Year 2020 award.

Together, we talk about what leaders can be doing to ensure they’re hiring from a diverse pool of talent, and where they can hire people beyond the usual recruitment channels. We also discuss how organizations can build a culture of mentoring so that members of diverse teams can feel valued, and retainment levels are strong.

Meeting Mike Hanley

Our CISO story for this episode is Cisco’s new Chief Information Security Officer, Mike Hanley.

Mike steps into the role of CISO for Cisco after spending five years with Cisco Duo. He originally joined to run Duo Labs, and was soon asked by Dug Song to be Vice President of Security and to build and nurture the team around him.

During our chat, Mike talks about what the past few months have been like after stepping into the role of CISO for Cisco in the middle of a global pandemic.

A very revealing note for me: I don’t think there was an answer that Mike gave where he didn’t refer to his team. People are clearly the most important aspect of his role, and in this interview you can see exactly why.

In fact, here’s a comment Mike shared that particularly struck a chord with me:

“I’m constantly in awe of the innovative ideas that the people in my team come up with to solve problems. I have middle-school teachers, designers, engineers, and many more fields of expertise in my team – and every single one of them has brought something really unique and significant.”

From the importance of hiring diverse talent, to building a culture of appreciation, openness and fun (he used the word fun six times in the first few minutes – I was keeping count!), Mike’s interview is a fascinating listen for anyone leading a team today.

Episode time stamps

0.00 Intro
02:27 Discussion on diversity in cybersecurity
46:49 Mike Hanley interview
1h 26: Closing remarks

Play the episode

You can listen to this podcast on Apple PodcastsSpotifyGoogle Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

The post Openness and support: Discussions on why diverse representation in cybersecurity matters appeared first on Cisco Blogs.

Becoming resilient by understanding cybersecurity risks: Part 1

All risks have to be viewed through the lens of the business or organization. While information on cybersecurity risks is plentiful, you can’t prioritize or manage any risk until the impact (and likelihood) to your organization is understood and quantified.

This rule of thumb on who should be accountable for risk helps illustrate this relationship:

The person who owns (and accepts) the risk is the one who will stand in front of the news cameras and explain to the world why the worst case scenario happened.

This is the first in a series of blogs exploring how to manage challenges associated with keeping an organization resilient against cyberattacks and data breaches. This series will examine both the business and security perspectives and then look at the powerful trends shaping the future.

This blog series is unabashedly trying to help you build a stronger bridge between cybersecurity and your organizational leadership.

A visualization of how to manage organizational risk through leadership

Organizations face two major trends driving both opportunity and risk:

  • Digital disruption: We are living through the fourth industrial revolution, characterized by the fusion of the physical, biological, and digital worlds. This is having a profound impact on all of us as much as the use of steam and electricity changed the lives of farmers and factory owners during early industrialization.
    Tech-disruptors like Netflix and Uber are obvious examples of using the digital revolution to disrupt existing industries, which spurred many industries to adopt digital innovation strategies of their own to stay relevant. Most organizations are rethinking their products, customer engagement, and business processes to stay current with a changing market.
  • Cybersecurity: Organizations face a constant threat to revenue and reputation from organized crime, rogue nations, and freelance attackers who all have their eyes on your organization’s technology and data, which is being compounded by an evolving set of insider risks.

Organizations that understand and manage risk without constraining their digital transformation will gain a competitive edge over their industry peers.

Cybersecurity is both old and new

As your organization pulls cybersecurity into your existing risk framework and portfolio, it is critical to keep in mind that:

  • Cybersecurity is still relatively new: Unlike responding to natural disasters or economic downturns with decades of historical data and analysis, cybersecurity is an emerging and rapidly evolving discipline. Our understanding of the risks and how to manage them must evolve with every innovation in technology and every shift in attacker techniques.
  • Cybersecurity is about human conflict: While managing cyber threats may be relatively new, human conflict has been around as long as there have been humans. Much can be learned by adapting existing knowledge on war, crime, economics, psychology, and sociology. Cybersecurity is also tied to the global economic, social, and political environments and can’t be separated from those.
  • Cybersecurity evolves fast (and has no boundaries): Once a technology infrastructure is in place, there are few limits on the velocity of scaling an idea or software into a global presence (whether helpful or malicious), mirroring the history of rail and road infrastructures. While infrastructure enables commerce and productivity, it also enables criminal or malicious elements to leverage the same scale and speed in their actions. These bad actors don’t face the many constraints of legitimate useage, including regulations, legality, or morality in the pursuit of their illicit goals. These low barriers to entry on the internet help to increase the volume, speed, and sophistication of cyberattack techniques soon after they are conceived and proven. This puts us in the position of continuously playing catch up to their latest ideas.
  • Cybersecurity requires asset maintenance: The most important and overlooked aspect of cybersecurity is the need to invest in ‘hygiene’ tasks to ensure consistent application of critically important practices.
    One aspect that surprises many people is that software ‘ages’ differently than other assets and equipment, silently accumulating security issues with time. Like a brittle metal, these silent issues suddenly become massive failures when attackers find them. This makes it critical for proactive business leadership to proactively support ongoing technology maintenance (despite no previous visible signs of failure).

Stay pragmatic

In an interconnected world, a certain amount of playing catch-up is inevitable, but we should minimize the impact and probabilities of business impact events with a proactive stance.

Organizations should build and adapt their risk and resilience strategy, including:

  1. Keeping threats in perspective: Ensuring stakeholders are thinking holistically in the context of business priorities, realistic threat scenarios, and reasonable evaluation of potential impact.
  2. Building trust and relationships: We’ve learned that the most important cybersecurity approach for organizations is to think and act symbiotically—working in unison with a shared vision and goal.
    Like any other critical resource, trust and relationships can be strained in a crisis. It’s critical to invest in building strong and collaborative relationships between security and business stakeholders who have to make difficult decisions in a complex environment with incomplete information that is continuously changing.
  3. Modernizing security to protect business operations wherever they are: This approach is often referred to as Zero Trust and helps security enable the business, particularly digital transformation initiatives (including remote work during COVID-19) versus the traditional role as an inflexible quality function.

One organization, one vision

As organizations become digital, they effectively become technology companies and inherit both the natural advantages (customer engagement, rapid scale) and difficulties (maintenance and patching, cyberattack). We must accept this and learn to manage this risk as a team, sharing the challenges and adapting to the continuous evolution.

In the coming blogs, we will explore these topics from the perspective of business leaders and from cybersecurity leaders, sharing lessons learned on framing, prioritizing, and managing risk to stay resilient against cyberattacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 1 appeared first on Microsoft Security.

Mind the Gaps! The Requisite Mindset to Stay Ahead of Cybersecurity Threats

Guest Post by Matt Cable, VP Solutions Architects & MD Europe, Certes Networks

At the end of 2019, it was reported that the number of unfilled global IT security positions had reached over four million professionals, up from almost three million at the same time the previous year. This included 561,000 in North America and a staggering 2.6 million in APAC. The cybersecurity industry clearly has some gaps to fill.

But it’s not just the number of open positions that presents an issue. Research also shows that nearly half of firms are unable to carry out the basic tasks outlined in the UK government’s Cyber Essentials scheme, such as setting up firewalls, storing data and removing malware. Although this figure has improved since 2018, it is still far too high and is a growing concern.

To compound matters, the disruption of COVID-19 this year has triggered a larger volume of attack vectors, with more employees working from home without sufficient security protocols and cyber attackers willingly using this to their advantage.

Evidentially, ensuring cybersecurity employees and teams have the right skills to keep both their organisations and their data safe, is essential. However, as Matt Cable, VP Solutions Architects & MD Europe, Certes Networks explains, as well as ensuring they have access to the right skills, organisations should also embrace a mindset of continuously identifying - and closing - gaps in their cybersecurity posture to ensure the organisation is as secure as it can be.

Infrastructure security versus infrastructure connectivity
There is a big misconception within cybersecurity teams that all members of the team can mitigate any cyber threat that comes their way. However, in practice, this often isn’t the case. There is repeatedly a lack of clarity between infrastructure security and infrastructure connectivity, with organisations assuming that because a member of the team is skilled in one area, they will automatically be skilled in the other.

What organisations are currently missing is a person, or team, within the company whose sole responsibility is looking at the security posture; not just at a high level, but also taking a deep dive into the infrastructure and identifying gaps, pain points and vulnerabilities. By assessing whether teams are truly focusing their efforts in the right places, tangible, outcomes-driven changes can really be made and organisations can then work towards understanding if they currently do possess the right skills to address the challenges.

This task should be a group effort: the entire IT and security team should be encouraged to look at the current situation and really analyse how secure the organisation truly is. Where is the majority of the team’s time being devoted? How could certain aspects of cybersecurity be better understood? Is the current team able to carry out penetration testing or patch management? Or, as an alternative to hiring a new member of the team, the CISO could consider sourcing a security partner who can provide these services, recognising that the skill sets cannot be developed within the organisation itself, and instead utilising external expertise.

It’s not what you know, it’s what you don’t know
The pace of change in cybersecurity means that organisations must accept they will not always be positioned to combat every single attack. Whilst on one day an organisation might consider its network to be secure, a new ransomware attack or the introduction of a new man-in-the-middle threat could quickly highlight a previously unknown vulnerability. Quite often, an organisation will not have known that it had vulnerabilities until it was too late.

By understanding that there will always be a new gap to fill and continuously assessing if the team has the right skills - either in-house or outsourced - to combat it, organisations can become much better prepared. If a CISO simply accepts the current secure state of its security posture as static and untouchable, the organisation will open itself up as a target of many forms of new attack vectors. Instead, accepting that cybersecurity is constantly changing and therefore questioning and testing each component of the security architecture on a regular basis means that security teams - with the help of security partners - will never be caught off guard.

Maintaining the right cybersecurity posture requires not just the right skills, but a mindset of constant innovation and assessment. Now, more than ever, organisations need to stay vigilant and identify the gaps that could cause devastating repercussions if left unfilled.

How to Embed a Positive Security Culture in the COVID-19 Remote Working ‘New Normal’

Guest Post by the information security experts at Security Risk Management Ltd

If promoting a positive company-wide security culture had been a challenge before the Covid-19 pandemic, that challenge has just become a whole lot more difficult. That is because the widespread move to remote working has added another layer of vulnerability. It is not simply a question of sharing office systems across a range of settings and the fact that some are using home computers (frequently shared with personal accounts); instead, it is that individuals are now one step removed from the reach of those responsible for in-house information security, usually the Chief Information Security Officers (CISOs), and the organisation’s security protocols.

This fact has not been wasted on ever-opportunistic hackers

Email phishing attacks target individuals, often persuading them to check or type passwords on malicious domains that appear to be legitimate. Researchers have found a 600 per cent increase in the number of phishing emails worldwide this year, frequently using Coronavirus-related themes to target individuals and businesses. These are not always easy to spot, including email headings like ‘revised vacation and sick time policy’ or ‘important message from HR’. It is easy to see how a lone worker could fall into the trap.

The sharp rise in this type of attack reflects what hackers already know: that the human element of an organisation’s security is the weakest link. Of course, best practice network security relies on a number of elements but perhaps the hardest to establish is a positive security culture. CISOs have, however, struggled with this, even before the Covid-19 pandemic changed business practices. A survey of CISOs by ClubCISO reported that 49 per cent felt that organisational culture was already a block to them achieving their security objectives.

In a world where remote working has become the ‘new normal’, effectively engaging individuals is more important than ever. Understanding protocols and providing easy-to-understand training and awareness are crucial for every single user of a network system and this needs to be prioritised in the current climate. But it is equally important that employees feel able to report suspicious activity quickly and in full without fearing blame or repercussions. Without this element of positive security culture, the security policy could fail because employees will be reluctant to highlight suspicious activity, with potentially devastating consequences.

Effective Information Security Management
In the traditional setup, the CISO or ISM would be responsible for network security. Based on an office, they manage the protocols and policies for everything from regulatory and legal compliance to staff training and breach notification. Yet, with little time for preparation, many will be challenged, perhaps lacking the immediate knowledge or experience of how to translate these to the complexities of employees working from home offices.

This is not necessarily bad news but presents an opportunity for positive change. Now we are becoming used to the fact that employees no longer need to be office-based, we can take a step back and ask if the CISO actually needs to be resident within the bricks and mortar of an organisation? Would an outsourced (or virtual) CISO model not be equally well suited – if not better suited - to the ‘new normal’ of remote working?

Virtual CISOs are highly skilled professional teams, drawing on a wealth of experience, working with organisations to meet all the requirements of the CISO function. Individually assigned team members work remotely with an organisation, overseeing network security at all levels; from board-level engagement and compliance to effectively embedding a company-wide positive security culture.

It is also worth noting that they can be used for as much or as little as required, simply advising the resident CISO on strategy or developing and implementing the whole policy. Yet this best-practice alternative does not cost the earth. In fact, it is likely to cost significantly less than the traditional model, while delivering a service which is ideally suited to remote working.