#CyberFLASH: Data-driven defence will best protect enterprises, says expert


Tunnel vision is a phrase that describes looking too narrowly at a problem. To use a cliché, you don’t see the forest for the trees.

Infosec pros suffer from it as well, Roger Grimes, principal security architect in Microsoft’s information security and risk management practice, said at this month’s SecTor cyber security conference in Toronto.

Often all they see is a myriad of threats in front of them every day instead of concentrating on the ones that are most likely to pierce defences.

In short, he argues that what CISOs need to do is create a data-driven defence.

After the conference we caught up with Grimes and asked him to expand.

“I get hired to do penetration testing and in the last 20 years I’ve broken in in an hour or less, except for one company that took me three hours.” he said – and he considers himself an average attacker .”In attacking I’m not that great, but I can break into anything. The reason why is they just don’t do the simple things they should do – the stuff they’ve been told to do for 30 years: Patch, and don’t get tricked into running things they shouldn’t.”

“Most companies for one reason or another really aren’t trying to defend against the right things. The vast majority of corporations could significantly decrease the chance of attacks against their companies by better patching just a few programs and (with the savings) giving their employees better anti social engineering training. Yet companies spend millions of dollars on things that are absolutely not going to work because they don’t fix the two biggest elephants in the room:” Awareness training and patching most commonly exploited programs.

Read more here

#CyberFLASH: How to craft a threat intelligence strategy

a-woman-uses-her-computer-keyboard-to-type-while-surfing-the-internet-in-north-vAn increasing number of CISOs are realizing the value of threat intelligence to protecting the enterprise, helping the infosec team doing the day-to-day defending. But if you don’t already have a unit/person assigned for doing this it may be daunting to start.

Adam Meyer, chief security strategist at SurfWatch Labs has written a useful two-part series for chief security officers who haven’t yet taken the plunge. In the first part he notes that leaders have to decide what is the goal of the data collection, what and how it should be collected, what finished, refined intelligence product should be produced, how and who it it should be delivered to and how should it be consumed.

The CISO also has to decide whether what is wanted is all or a combination of tactical, operational or strategic threat intelligence.
The second part talks about the two parts of a threat intelligence strategy: A collection plan and a management plan.

The collection plan is obvious: It has to define priorities and needs, sources of intel and what decision-makers need. Why a management plan? Because, writes Meyer, intelligence is not a project but a capability that needs to be run like a program. So the management plan looks at who will be the intelligence analyst(s), tools to be used, how managers make requests to analysts. and if the deliverables are useful.

If you are thinking about adding threat intelligence to your weapons these two columns are a good place to start.

Read more here

#CyberFLASH: New reports warn of extent of phishing

FEATURE-Phishing-SHUTTERSTOCK-620x250Phishing is one of the easiest ways an attacker can infiltrate malware into an organization or trick victims into going to a fake Website, with one vendor saying it found one million confirmed malicious phishing sites in 2015. Unfortunately, the strategy also gives truth to the old adage that people are the weakest link in security.

Two reports released by vendors on Thursday hope to give CISOs a little more insight into phishing attacks.

One, from PhishLabs, says it is currently tracking more than 90 threat actor groups that use spear phishing, with experience ranging from novice cybercriminals to advanced nation-state cyber operations. The number of organizations targeted with the co-called Business Email Compromise (BEC) spear phishing attacks– aimed narrowly at senior officials, with the phishing mail impersonating an executive — grew tremendously in 2015, it adds.

“Phishing attacks are cheap, easy to execute and difficult to stop,” it says. “People will continue to fall for phishing attacks. No security tool or training regimen will prevent that from happening. But by detecting phishing attacks early, when they are launched and as soon as they reach inboxes, it is possible to stop the attack and prevent the consequences even if someone does initially fall victim.”

Other significant findings include:

  • 90 per cent of consumer-focused phishing attacks targeted financial institutions, cloud storage/file hosting sites, webmail and online services, e-commerce sites, and payment services’
  • Gmail is used for more than half of all data drop email accounts, making it the top webmail service used by attackers to receive credentials stolen in phishing;
  • Social media is a primary promotion and distribution channel for consumer-focused phishing kits and related goods or services.
  • Techniques to evade your automated detection of phishing attacks and to prevent analysis of attack components are becoming more commonplace, even among less sophisticated threat actors.

Read more here

#CyberFLASH: Give management the right security metrics

krawczyk01.jpg.size.xxlarge.letterboxThere’s no doubt the C-suite and boards are paying increased attention to cyber security, hearing more frequently from infosec pros. But are CISOs communicating in a language the business side needs to hear?

There’s no shortage of security metrics, Torsten George points out in a Security Week column today, but what the business side needs to hear is not necessarily what security pros use when talking to each other.

“Upper management and boards want to understand what the organization is doing to prevent security breaches and the effectiveness these measures, its exposure to future risks and threats, and what areas can be improved.” That means telling them things like the number of vulnerabilities discovered, the number of incidents and the average time a vulnerability remains unpatched isn’t helpful.

Better, he writes is to focus metrics that relate risk to the organization’s business goals — for example, on sensitive data that could be exfiltrated due to existing vulnerabilities or the financial impact associated with critical assets being rendered unusable by an attack.

Being a CISO these days can sometimes feel like a roller-coaster of never-ending crises. To some degree many problems can be solved through doing the basics, including keeping on top of patching and educating users. These aren’t big ticket items. But board level support is vital for solutions that may call for investment, ranging from penetration tests to multi-factor authentication and on.

Read more here

#CyberFLASH: Time to measure your security maturity

typing-image-genericMost CISOs think they have a handle on how secure their organization is, pointing with pride to the latest (fill in the blank) system that’s just been installed.

But another way to measure what’s going on is to look at the organization’s security maturity — or, as author Brian Krebs put it in a post Monday, does it make cybersecurity a part of the culture or just pay lip service to it?

There are several models IT security pros can chose from: Krebs cites one crafted by the Enterprise Strategy Group, which breaks organizations down into basic, progressing and advanced. An advanced organization, for example, has a CISO who reports to the CEO, and focuses on incident detection, prevention and response.

An executive at a security vendor suggests a three-tier model which measures maturity in terms of preparedness and expectations. A reactive organization, for example, lacks executive support for IT security, and its IT operations are underfunded, understaffed and lack metrics for reporting. Business units are then ranked 1 to 5 across six categories (for example, security awareness and training.)

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.