STE WILLIAMS

Less ‘gimme all your money,’ more ‘please buy this software package.’

A sweet-talking, stealthier, new version of the CryptoWall ransomware, CryptoWall 4.0, is in the wild, according to researchers at Heimdal Security and BitDefender.

The previous version, CryptoWall 3.0, just came out in January, and according to figures released last week by the Cyber Threat Alliance, it has already extorted $325 million from tens of thousands of victims worldwide. CryptoWall 4.0 aims to surpass that performance.

Ransomware is not exactly shy; it will always make itself known eventually. Yet security tools hope to catch it when it first creeps onto a machine, and stop it before it springs into action. Yet, CryptoWall 4.0 has made modifications to help it evade detection by security tools “even by 2nd generation firewall solutions,” according to Heimdal Security.

When the malware makes its move, the new CryptoWall not only encrypts files, as it always has done, it also encrypts filenames. Heimdal Security states this new technique increases victims’ confusion, and thereby increases the likelihood that they’ll pay the ransom, and quickly.

4.0 also contains a strikingly different ransom message than earlier CryptoWalls. Previous versions have always aimed to frighten and harass victims, but as BitDefender explains, the new ransom message is “longer, less alarming and with a hint of irony.”

Instead of being an obvious threat from an attacker, the new message hides the threat inside a welcome wagon. Rather than simply demanding a ransom to decrypt the files, they recommend “purchasing the software package” for $700, payable in Bitcoin.

The ransom itself has the cuddly filename “HELP_YOUR_FILES,” comes in TXT, HTML, and PNG form, and includes the text “Congratulations! You have become a part of large community CryptoWall!” and “the instructions that you find in folders with encrypted files are not viruses; they are your helpers.”

The message urges victims to “think logically” and not get security products involved, because their attempts could prove fatal to their files.

It isn’t all soft-sell, cajoling, and reason, though. The message has some bite, stating: “In case if these simple rules are violated we will not be able to help you, and we will not try because you have been warned.”

As Heimdal Security explains “Cryptoware creators act like they run software companies,” continuing to enhance their code, addressing advancements in security controls, and using all possible social engineering techniques at their disposal to trigger payment.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 13, 2015. Click here for more information and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/cryptowall-40-a-stealthier-more-sweet-talking-ransomware-/d/d-id/1323012?_mc=RSS_DR_EDT

A US man from the state of Pennsylvania – who, evidently, doesn’t quite understand that police use computers and has never heard of Tor – is looking at 2 to 4 years in jail for trying to recruit a cybercriminal to erase his court records and wipe out $16,000 he owed in fines.

He wanted those fines to go away. So Zachary J. Landis posted a listing on Craigslist …using his personal email and phone number, according to ABC27 news.

What’s that noise? Do you hear it? I think it’s the sound of police laughing hysterically.

Yes, Landis wound up trying to hire an undercover cop.

According to a release from Lancaster County District Attorney (DA) Craig Stedman’s office, Derry Township police discovered the Craigslist ad.

They shuffled it over to the DA’s office.

Then, one of the DA’s detectives got in touch with Landis, posing as a cyber-genius who was up for the work.

“Caveat emptor,” Landis must have been muttering to himself.

Before shelling out for the job, Landis told the detective to erase a bit of that $16,000 – just to prove he could.

The negotiations included Landis sending the supposed hacker three docket sheets – a pretty tidy way to link himself to the ad and the crimes reference therein, thereby tying a bow around an open-and-shut case.

He must have taken hitman-hiring tutorials from Silk Road head honcho Ross Ulbricht.

Ulbricht allegedly made six attempts to arrange murders in order to protect the site. The one hitman he managed to hire – to torture and kill employee Curtis Clark Green – turned out to be an undercover agent.

Landis, 27, was sentenced to 2-4 years in state prison after pleading guilty last week to felony counts of computer trespass, unlawful use of a computer, and tampering with public records.

Follow @NakedSecurity

Follow @LisaVaas

Image of Craigslist homepage on a monitor courtesy of Gil C / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dbIoZ10pv60/

How many times does the word “wasted” show up in your social media profiles and posts?

What?! You don’t know?

Even if you’re not sure of the answer, if you are in the US, looking for credit, there’s now a chance that the companies who assess your creditworthiness will.

If you’re planning to get a car loan anytime soon with a sketchy credit history, you might want to check up on your online posts. US credit analytics companies may well be taking a look at your online self to gauge your language and other things they consider indicative of your ability to pay off a credit card or loan, including whether you’ve frequently changed addresses – an indicator that you may have had problems paying rent.

The news comes from the Financial Times, which reports that two of the top credit analytics companies in the US are exploring new ways to assess consumer’s credit worthiness.

One of the companies, FICO, has been working with a dozen US credit card companies on a pilot project that it claims can be used to reliably price loans to millions of people who’ve historically been seen as too risky.

That includes poring over would-be borrowers’ phone and utility bills, change-of-address records, and their histories of DVD rentals and furniture rental.

FICO CEO Will Lansing told the news outlet that those data points are located on a spectrum of consumer data.

On one end of that spectrum is a history of credit card repayment, which is the gold standard of assessing creditworthiness.

On the other end is where they can find our slimy social media trails, which lead to things like posts about how much we hate our jobs; how happy we are to have, say, robbed a bank; our plans for an epic burglary spree; or, then again, all about our drunken binges.

Lansing:

If you look at how many times a person says ‘wasted’ in their profile, it has some value in predicting whether they’re going to repay their debt.

It’s not much, but it’s more than zero.

Subprime loans – those for people who have a higher credit risk – are big business for banks.

Both FICO and TransUnion – another credit analytics company – are turning over rocks to find reasons to make subprime loans.

Jim Wehmann, executive vice-president for scores at FICO:

The market was absolutely hungry for a solution.

For consumers, the new model could translate into better loan terms for people with low credit scores.

There are already scads of reasons to clean up your social media profiles: your employability is one.

Our Facebook profiles, Twitter feeds, LinkedIn pages, or Flickr photostreams are extensions of our resumes and job applications.

We can build them into resources that present us as perfect employees, or we can get fired before we even start a job by a boneheaded tweet.

Now, there’s one more reason: we want a loan. We want to trade in that sputtering lemon we’ve been driving around and get something that doesn’t shed parts like a bad case of metallic dandruff.

Been getting wasted a lot lately? You might want to keep it to yourself!

If you’ve been oversharing, seek out the delete button.

Get in every nook and cranny – of which there are many – where credit-unworthy posts may hide.

Here’s a good article about how to clean up our slime trails for a job application; it’s the same advice for what looks to be coming down the pike for loan seekers.

Follow @NakedSecurity

Follow @LisaVaas

Image of woman at computer courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ePwVXPByzVQ/

What harm can a selfie do?

How much do you really give away if you upload images that contain snippets of information unique to you?

Just how much detail can a crook really make out in low-resolution mobile phone snapshot that’s uploaded to a social media site?

And even if crooks could dig out all sorts of stuff, why would they?

Not to make our readers feel insignificant, but who’s interested in you, anyway?

Who would go after snippets of your PII (personally identifiable information) when there are security-challenged organisations with millions of customers to go after instead?

For example: communications companies, retail chains, hotels, operating system vendors [Make that billions of customers – Ed.] and, sad to say, even North American surveillance specialists.

A little bit of caution

Well, here’s one reason why a little bit of caution in what you share goes a long way.

For this story, however, we need a tiny bit of background into Aussie sporting culture.

If you have ever been to Australia, you will know that football is enormously popular, but there are three completely different sorts: Association (also known as soccer), Australian and Rugby, which it itself divided into two similar but incompatible codes, Union and League.

Likewise, there is cricket, which is like baseball but without the dreadfully dull bits where no one hits a run for hours, and with pies instead of hot dogs.

But even cricket has multiple flavours, from Twenty20, through One Dayers to the ultimate test of a spectator, the five-day Test Match.

In a word: variegated!

So it’s a surprise to find that there is one sporting event that cuts across all these cultish divisions, and that is The Race That Stops The Nation, better known as the Melbourne Cup.

It goes like this: on the first Tuesday of November, everyone bets after-tax income on some horses running round a track while wearing peculiar hats (the gamblers, not the horses).

And the 2015 Melbourne Cup was a race of legend: won for the very first time by a female jockey on a rank outsider – at odds of $101, or 100-to-1 in the old measure, if you can believe it!

As jockey Michelle Payne said after riding Prince of Penzance to a win:

I can’t say how grateful I am to the people who helped me, and I want to say to everyone else, get stuffed, because women can do anything and we can beat the world.

That’s exactly how Chantelle, an Aussie from Western Australia, probably felt, too.

She, along with two friends, put a modest bet on Prince of Penzance and were delighted to win close to $1000, thanks to the extreme odds.

So delighted!

Our winning punters were delighted that two of them – Chantelle and Sam – uploaded snapshots on Facebook showing themselves quite literally open-mouthed in wonder, with the winning ticket held up to prove it!

Turns out that their winnings, though substantial, were within the bounds of the betting agency’s automatic payout machines: just let the device read your ticket, and cash out at once.

But when they hit the payout machine…

…they apparently found that a facsimile of the ticket, or at least a copy of its barcode, almost certainly constructed from the images they’d uploaded to Facebook, had snaffled the prize already.

What next?

The silver lining?

Thanks to the publicity around this particular case, the joker who stole the winnings – we’re assuming that claiming a prize this way is a criminal matter, and that they’re probably going to get caught – is going to get the public hammering of a lifetime.

But spare a thought for all those cases of identity theft, PII misuse, cyberstalking and more in which the perpetrators have never been caught…

…and in which the victims haven’t had the mollifying influence of public sympathy.

One simple tip?

If in doubt, don’t give it out. (The internet will still be plenty of fun.)

💡 5 TIPS: MAKE YOUR FACEBOOK SAFER ►

💡 HOW SELFIES CAN HARM YOUR CREDIT ►

💡 WHY CROOKS *DO* CARE ABOUT “LITTLE OLD YOU” ►

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4Lb65yC_SbA/

Secure webmail outfit ProtonMail is still fighting against a sustained DDoS attack that has left its service largely unavailable since Tuesday.

In a statement posted to a hastily erected blog site, ProtonMail said the powerful attack by unknown parties has also inflicted collateral damage on third-party organisations.

The attackers began by flooding our IP addresses. That quickly expanded to the data centre in Switzerland where we have our servers. In the process of attacking us, several other tech companies and even some banks were knocked offline temporarily.

Despite our best efforts, we have been unable to stop the attack but we are working non-stop to get back online.

Even though access is limited, an important thing to note is that our core end-to-end encryption holds strong and is 100 per cent untouched. All user data is fine and safe.

The motives, much less the perps behind the attack, remain unclear. ProtonMail is using its official Twitter feed to provide status updates.

It used this channel to reassure customers that their “data is secure and untouched”, even though access to its site is “unlikely”, before confirming on Thursday morning that its was under renewed attack.

ProtonMail offers a webmail system designed by boffins and CERN to withstand surveillance by the world’s intelligence agencies.

Since launching in 2013 the service has signed up around 500,000 users. ProtonMail added native web and mobile app support for Pretty Good Privacy (PGP) back in September. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/protonmail_ddos_attack/

TalkTalk is trying and failing to mend its broken customer relationships following the recent mega breach, in one case offering an individual who had £3,500 stolen from his personal bank account £30.20 as a “good will gesture [and] final settlement” by way of compensation when he tried to get out of his contract.

Ian Rimmington, based in Ossett, West Yorkshire, told The Register £3,500 had disappeared from his account on Friday, 23 October. This was two days after the telco had been hacked and hours after it claims it had informed banks that punters’ personal information had been compromised.

The Register has constructed a timeline analysing TalkTalk’s incident management response, seemingly specifically to avoid admitting any liability in cases in which customers have suffered financial losses following from the breach.

After directly emailing CEO Dido Harding, Rimmington was put in contact with CEO Case Manager John Gusterton on Friday, 30 October. He was offered one of TalkTalk’s questionable lines that “card details were encrypted” and told us “there was not a lot more forthcoming from the conversation apart from a gesture of good will of £30.20 credit to my account as a final settlement,” he said.

“I asked him [Gusterton]: ‘If my card details were encrypted and no details lost, then why are you giving me the credit?’. I then asked about the conflicting information over the last week and was met by a wall of silence,” Rimmington told us. He said that Gusterton had then asked if he would accept the “good will gesture”.

Rimmington told us he declined the offer.

The email from John Gusterton stated:

My understanding of your complaint is as follows: You wish to leave TalkTalk without incurring a cancellation fee.

You have lost confidence in TalkTalk due to the recent data breach and you also feel that money recently taken from your bank account illegally might be linked to the TalkTalk breach.

In order to resolve the situation, my proposals are to take the following actions: Unfortunately I would not be able to waive your contract breakage fee if you decide to leave TalkTalk.

I can apply a credit of £30.20 to your TalkTalk account as a good will gesture. This would equate to one month free service.

This offer is made in full and final settlement of your complaint.

If I do not hear from you within a week, then I will close down your complaint on our records and the above offer in full and final settlement of your complaint will be withdrawn.

Rimmington emailed Gusterson yesterday to question why if customers’ details were encrypted they were being encouraged to “keep an eye on [their] accounts over the next few months” and noted how it contradicted TalkTalk’s own statement that:

The Register is awaiting a response from TalkTalk. ®

---

Bootnote

If you’ve been affected by the TalkTalk hack, please contact us: [email protected].

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/talktalk_offers_customer_30gbp_final_settlement_after_crims_nick_3500gbp/

Two members of an illegal international gambling enterprise which operated over the net and telephone have been convicted of a racketeering conspiracy.

Kelly Dorn, 53, of Oklahoma City, and Kory Koralewski, 45, of Parker, Colorado, were found guilty of the offence, while Dorn was additionally convicted of conducting an illegal gambling business.

The men were members of Legendz Sports, an international criminal enterprise operating from 2003 to 2013, which had taken more than $1bn in illegal wagers – almost exclusively from American gamblers.

A 94-page indictment (PDF) filed in March 2013 alleged that “Legendz Sports operated Internet websites and telephone gambling services from facilities physically located in Panama City.”

Legendz Sports illegally made use of interstate and international Internet and telephone facilities to conduct its gambling operations throughout the United States and elsewhere, in violation of the laws of the United States.

Legendz Sports solicited millions of illegal bets totaling over $1,000,000,000.00 (one billion dollars) on sports and sporting events from gamblers in the United States, twenty-four hours a day, three hundred and sixty-five days a year.

Legendz Sports was operated out of Panama, where evidence showed that its illegal gambling proceeds were used to further promote the gambling business, including to pay employees and build a new multi-million dollar call centre from where bets were taken.

Earlier this year Bartice Alan King, 44, “the owner, CEO and President of Legendz Sports,” according to evidence presented at his trial, was convicted of conspiracy to commit money laundering.

The US Department of Justice stated that a sentencing hearing has not yet been set.

More than fifty other individuals and organisations are listed as defendents in the indictment. Their trials are ongoing. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/gambling_site_operators_convicted_1bn_international_conspiracy/

Miscreants have cooked up a new strain of ransomware that works offline and so might be more resistant to law enforcement takedown efforts as a result.

The ransomware family (identified by various names by antivirus firms) manages to encrypt files on infected Windows PCs without storing the entire decryption key locally – and without needing an internet connection – security firm Check Point reports.

The malware pulls this off by generating a local RSA public key that it uses to encrypt files, which it then stores in the metadata of each file. When a victim wants their data decrypted, they can contact cybercriminals via an email address (added to the name of each file), and send one of the encrypted files as an attachment.

Many email addresses, mainly AOL and Gmail accounts (but also others) have been associated with this ransomware.

The ransomware operator then looks at the file’s metadata, extracts the user-side-generated RSA public key, and matches it to their own RSA private key database.

The approach may seem inelegant at first, but it does without the need to run command and control servers to host encryption keys. Such command hubs can become the target of law enforcement takedown operations, as happened in the high profile CryptoLocker case.

Check Point’s researchers believe that it is not feasible to brute-force the ransomware encryption.

Researchers at the security firm got hold of a sample of the malware in September. When the sample was run, a extortionate demand in Russian was displayed which gave payment instructions. When running, the ransomware does not interact with the user, other than changing the wallpaper.

Check Point reached out anonymously to the attacker’s email, and received a reply requesting a payment of 20,000 Russian rubles (about $300) on the same day or 25,000 ($380) on the following day, to receive a decryption program and key.

Russian language forums first referenced the malware in June 2014, the security researchers discovered. Since then, 11 new versions have been reported. The ransomware sample investigated by Check Point, which explained the technical details of how it was put together (blog post extract below), was from version CL 1.0.0.0.

It uses a protector that was written in Visual Basic compiled language. To unpack the payload, the ransomware restarts its own process using section mapping and overwrites four times.

The payload that is responsible for file encryption is most likely written in Delphi language using some additional Pascal modules (for example, FGInt that is used to represent large numbers) …

The ransomware does not contain much functionality except for the file encryption capability.

Various versions of the ransomware have been given unique names by different vendors including Ransomcrypt.U (Symantec) and VBKryjetor-WFA (Kaspersky Lab).

Although its been around for a year, Check Point’s write-up offers the most detailed examination of the malware to date, at least in the English language. ®

Blockquote

Security experts are sniffy about the approach to crypto taken by the malware authors. That’s as maybe, but it’s of little relevance to victims, who are nonetheless unable to easily get back their files without paying up.

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/offline_ransomware_menaces_russia/

Comment Hang on: you want to use a phone number as an identity certificate?

Forgive me, everybody, for not realising the obvious – and for not realising why GCHQ’s information security arm CESG’s pet proposal RFC 6509 hasn’t progressed.

The reason is simple: it’s a damn stupid idea.

Here’s the relevant quote: ”a user’s identity is their public key. Simply knowing a user’s phone number is enough to establish a secure communications link with them.

And here’s why it’s spectacularly stupid: a telephone number is not an identity of a person. It’s an identity of a thing – a particular spot on a wiring harness in a telephone exchange that a bit of software associates with a number of a handset that can be used by anyone in the same place; or of a physical mobile phone (assuming that nobody’s tricked it into presenting someone else’s number); or of a SIP account that’s completely disassociated from any physical artefact whatever.

The one thing that a phone number does not do is identify a person.

Of course, the same can be said of an IP address, that most-prized artefact that’s apparently worth so much, anencephalic legislators listen to spooks who ghost-write their legislation and will die in a ditch to get their hands on meaningless identifiers.

Ahem. Perhaps I ranted for a moment, forgive me.

It’s easy, when you’re reading the stilted prose of a spooks’ specification on one hand and the even-more-stilted prose of an IETF document on the other, to look for mice and overlook elephants.

A telephone number does not identify a human.

Having said that, motivation casts its shadow: why on Earth would someone conceive of such stupidity and devote time and thousands of words to propose that it should be a standard?

If RFC 6509 is how spooks think, it sheds some light on the witlessness of data-retention legislation in the UK, which by dint of special effort managed to be more moronsome than the data-retention legislation that passed Australia’s parliament this year.

Regardless of their technical expertise – and to be fair, the RFC reveals considerable technical expertise – the spies of the world can’t shake the mindset of 30 years ago, when all they needed to do was drop crocodile-clips on wires and take photographs.

Even when they know better, they remain devoted to systems, processes and thinking that’s been obsolete since Kim Philby was still alive, but they can’t let go.

The phone number is the person; the IP address is the person; and both assumptions are utter folly, but are relentlessly peddled by the spooks to the politicians.

As a result, successive anencephalic attorneys-general in Australia and the UK’s Home Secretary Theresa May have enacted legislation of such egregious idiocy it could have been drafted by a junior in the White Fish Authority.

As far as I can tell, RFC 6509 has suffered that most ignominious fate that can befall a request for comment: nobody commented.

Of course nobody commented. You don’t, as an Australian cricketer once observed, “urinate on statues”. GCHQ begat CESG, both are potential customers, both have spies at their command, and nobody’s going to write, in public, the kind of thing that Linus Torvalds would write about bad code.

As an acute commenter noted before my brain kicked into gear, there’s also this: stupidity is compounded by mendacity. If the phone number is the authenticator, impersonation is utter cake. Anyone who knows my phone number can authenticate as me, and MITM is trivial.

Three out of ten, CESG, must try harder. And three out of ten, myself, for getting bogged down trimming the toenails of the elephant standing on my foot. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/the_gces_crypto_proposal_isnt_dumb_its_malicious_and_i_didnt_notice/

Security through maturity and humility is a workable philosophy with proven results for organizations that are willing to give it a try. Here’s why.

Traveling regularly, like many things, has its advantages and disadvantages. Anyone who has been through an airport lately is more than familiar with the disadvantages, but what about the advantages? One of the main advantages traveling brings me is the opportunity to meet with clients to better understand the security posture, strategy, and operational effectiveness of their respective organizations. One hour with a customer brings me more insight than a thousand white papers, because the greatest insights come from practitioners. 

In other words, enough about the problems and challenges! What are people doing to solve those problems and address those challenges? The answer depends on the organizations themselves, which I like to classify — by maturity and confidence — into four quadrants.

Mature Confident
As you might expect, organizations in this category have fairly mature security programs.  Management laid out a strategic vision that was subsequently implemented. The organization took a risk-based approach to security. Risks and threats to the organization were prioritized and mitigated accordingly. An incident response process was set and followed. Security operations runs continually.

At first glance, you might say that this program sounds like a panacea. I would urge you to reconsider that assertion. What is the risk with this type of program? Look closely at the tense in the above paragraph. Everything is past-tense. As we know, our adversaries are continually adapting to maximize their effectiveness. As defenders, we need to continually adapt as well. Risks and threats change over time, as do the ways in which we mitigate them. The risk in this type of organization is stagnation. And stagnation is not a great recipe for continued success in the security realm.

Mature Unconfident
The organization that is mature and unconfident is the best kind, in my opinion. These types of organizations took all the same steps as the mature and confident organizations. What’s the difference? They are never satisfied. They always remain hungry. They are never confident that they are safe.

This philosophy pervades these organizations at many different levels. People are never afraid to raise their hand to indicate that a risk is unmitigated, a new technology is needed, a process needs refining, certain gaps exist, or any of the other issues that may arise. This lack of confidence is not a weakness, as it is often regarded, but rather, a strength. It is a reality check that keeps the organization humble. Why is this important? That humility allows the organization to continue to mature and to avoid stagnation.

Immature Unconfident
Organizations that are immature and unconfident are my favorite type of organization to work with.  At first this may seem like a puzzling statement but hear me out: Lack of security maturity may indeed be a weakness. But if an organization is self-aware enough to honestly evaluate where they stand, it is something that can be overcome. 

Of course, the process of maturing a security program is a lengthy one with many details. The first step in that process is understanding that you need to work through it. Believe it or not, this self-awareness and organizational humility is something that is surprisingly uncommon. More often than not, organizations with immature security programs fall into the next category.

Immature Confident
I’ve been known to describe some past co-workers as a “deadly combination of incompetence and over-confidence.” I’m sure you’ve all encountered this type of co-worker at some point in your work life.  He (or she) is the one who runs confidently, full-speed ahead in the wrong direction entirely, whose instinct is always to do the polar opposite of what is needed, and who cannot accept this possibility at all. I’m using this analogy to illustrate a somewhat sensitive and delicate point. Having an immature security program is something that can be remedied — unless an organization is too overconfident to realize it. In my estimation, the number of organizations that fall into this last category is far greater than most of us would like to believe.

In a sense, this is the most tragic of all the categories; so much potential, yet a nearly impassable uphill climb. You might ask what leads me to lump so many organizations into this category. My answer to that question is fairly straightforward. I base it off of the questions that I receive from some organizations. Often, these questions indicate an underlying lack of understanding of the core challenges companies need to address — and, as a result, any potential solutions to those challenges. More often than not, I receive these questions from organizations that tell me that they take a very strategic approach to security and have a very mature security program as a result.

Which type of organization are you?
I never ask this question of organizations I meet with, for obvious reasons. It is a question that each organization needs to ask itself and answer honestly. The resulting introspection and self-awareness may not be comfortable, but it is the best way for an organization to develop a robust and mature security posture based upon security operations and incident response. Maturity is the key to improving an organization’s security posture, but it is not something that can be arrived at through dishonesty.  Security through maturity and humility is a workable philosophy with proven results for those organizations that are willing to give it a try.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 13, 2015. Click here for information on the career trends program.

Josh is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO – Americas at FireEye. Until its acquisition by FireEye, Josh served as Chief Security … View Full Bio

Article source: http://www.darkreading.com/operations/mature-and-unconfident-the-best-information-security-teams-ever!/a/d-id/1323008?_mc=RSS_DR_EDT