STE WILLIAMS

Chief information security officers are playing a more integral — and more important — role in business, and their experience and qualifications are shifting to fit those requirements, researchers say.

Nearly half (45%) of Fortune 500 CISOs with graduate degrees have MBAs, indicating a shift in responsibilities as security leaders become more prominent within the business, according to an analysis of Fortune 500 senior security leaders conducted by Forrester Research. The findings paint a fresh picture of the modern CISO — a position that barely existed 20 years ago but is rapidly becoming a key contributor to the boardroom.

“From 2014 to today, the CISO has evolved to be one of the centerpieces inside an organization. This is especially as more and more businesses become dependent on data and software to make money, which is virtually every business today,” says Jeff Pollard, principal analyst at Forrester serving security and risk professionals.

CISOs used to be internally focused and didn’t spend as much time securing customers’ information, Pollard observes. Today’s CISOs have emerged as public figures as they engage with customers and secure the products people use, he says.

“The perimeter once was very small,” says Eitan Bremler, Safe-T co-founder and VP of products. “Before 2010, companies were islands. You had your own data and shared internally. As time goes by and organizations become more digital, they’re exposing themselves to the outside world.” Cloud services, remote workers, and customers’ abilities to exchange and access data have all expanded the attack surface, Bremler notes.

Bridging the business, tech gap

These organizational shifts have driven changes in the skills demanded of CISOs. Most have technical backgrounds but have to understand business skills and strategy as their careers grow. Graduate degrees are not mandatory but are becoming increasingly common: 43% of Fortune 500 CISOs have a graduate degree and on average, most were earned eight years after their bachelor’s.

After the MBA, the most popular graduate degree for CISOs are master’s degrees in computer science and information systems.

“Someone who was more technical in the past is becoming more strategic,” says Pollard. “The CISO already has a foundation in technology, and other execs will turn to them for advice and coaching on how to understand tech and compliance and risk.”

As CISOs take on more strategic duties, their organizations may split responsibilities differently in the IT and risk areas. Bremler points to the chief risk officer (CRO) as someone who previously reported to the CISO, but now has a more separate role as risk and regulation grow. Some businesses bundle security and networking under the CISO; some split the two and put networking under the CIO. Some CISOs own security implementation, while the CIO handles system and business applications.

“We see a lot of CISOs step away from device management and sending it to service providers and contractors,” Pollard notes. “Another big area is learning to balance staffing requirements.” CISOs don’t need an on-staff expert in everything, but will need to turn to on-demand experts on occasion. The key is learning to be efficient.

Several technologies have also shaped the way CISOs do their jobs. Pollard says artificial intelligence, machine learning, data visualization, and orchestration will help security leaders be more efficient and teams be more productive. Bremler points to software-defined networking as a major example of how businesses understand the way networks are changing.

Tenure exceeds expectations

Forrester researchers found that tenure among Fortune 500 CISOs has gotten longer as large companies understand the value in building and improving their security programs. Fortune 500 CISOs average 4.5 years of tenure, longer than data indicating an average of 17 months among CISOs overall.

“One of the major reasons why CISOs are sticking around is because when security wasn’t as valuable, it was opaque,” Pollard says. “It was impossible to figure out what security was actually doing … it was hard to figure out why it had value.”

Now, security has more visibility as a board-level issue. It isn’t viewed as a cost center but as a value-add to the business. As a result, CISOs don’t hunt for new positions as quickly. If they want to drive change, they need to stay and understand their organization.

In larger companies, however, most CISOs don’t rise from the ranks. Nearly 60% of Fortune 500 CISOs were external hires, as were 64% of Fortune 100 CISOs. Larger companies prefer CISOs to have more experience and a fresh perspective. External hires usually land higher on the org chart than those promoted internally: two-thirds of SVP-level CISOs came from outside the business.

“If you’re a senior leader and report to the CISO at a Fortune 100 company, loyalty is probably not your best option,” says Pollard. “If you’re getting recruiting emails about CISO roles, you need to answer those.”

That said, there are instances in which promoting a CISO from within is beneficial, experts say. Companies hesitant to change will benefit from hiring internally because an internally-hired CISO will understand the business and won’t have the same cultural learning curve.

Related Content:

• 2017 Security Predictions through the Rear Window
• Businesses Go on Pre-Holiday Cloud Acquisition Spree
• CISO Holiday Miracle Wish List
• Why Network Visibility Is Critical to Removing Security Blind Spots

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/cisos-play-rising-role-in-business/d/d-id/1330708?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

EtherDelta last week suspended service when cyberattackers allegedly gained temporary access to the company’s DNS servers.

The incident was part of a rough week for cryptocurrency, preceding a sharp drop in values at Bitcoin that hit a low ebb on Friday. The events illustrate the continued volatility of digital currencies, despite their rapid growth.

EtherDelta, a popular cryptocurrency exchange known for its broad selection of alt coins, posted a tweet on Wednesday, Dec. 20 indicating its server was compromised by attackers.

(Image: EtherDelta via Twitter)

It seems the attacker(s) spoofed EtherDelta’s domain to trick users into sending money. EtherDelta posted a follow-up tweet reporting the impostor’s app had no chat button on the navigation bar, nor did it have an official Twitter feed on the bottom right. It also had a fake order book. After a series of updates, EtherDelta said it was running again on Dec. 22.

Users using MetaMask or a hardware wallet on EtherDelta were safe from the attack, as are those who had never imported their private key on the imposer’s phishing site. Deposits can only be accessed through a user’s individual key, the company noted on Twitter.

“If EtherDelta’s tweets are to be interpreted literally, this was a rare kind of DNS attack, in which the registry and registrar were uninvolved, and the break-in happened on EtherDelta’s own primary authoritative name server,” says Farsight Security CEO Dr. Paul Vixie, a DNS security expert.

In this case, DNS was “incidental” to the attack, he explains. The same attacker could use a similar method to break into any other server using a similar trick, such as password guessing.

“If there’s a lesson for all of us here, which there almost always is, it’s that the keys to our kingdom are everywhere in our infrastructure, and there is no server or service we can operate with less care for its security than others,” Vixie adds.

Shortly after the news of EtherDelta’s attack, Bitcoin had a rough holiday weekend with a five-day drop that ended Tuesday, Dec. 26. While the two events were unrelated, the volatility of crypto should not go unnoticed, Vixie says. The recent “boom and bust” in crypto is almost entirely driven by “ignorance and the resulting bandwagon effect,” he observes. Prices are unstable and any news — from a cyberattack to political commentary — can send them up or down.

“Unfortunately, this is just a tip of the iceberg,” agrees High-Tech Bridge CEO Ilia Kolochenko. “Many crypto currency platforms and exchanges are compromised without even being noticed or publicly disclosed.” Further, many don’t have the resources to protect themselves, he notes.

Indeed, Youbit, a Korean cryptocurrency exchange, is filing for bankruptcy after two cyberattacks in 2017. Nicehash, a marketplace based in Europe, reported losing millions in a breach this month.

“We have collectively built systems so complex that we can’t understand them,” Vixie states. Attackers have the time and ambition to test enterprises’ defenses in ways that the enteprises don’t test themselves.

This is especially true of cryptocurrency systems like EtherDelta, which have so much money and many new systems and operators, Vixie notes. However, any enterprise is vulnerable and this should be viewed as a potential attack “against everything and anything,” says Vixie. The only way to be even partially secure is with red-team testing, and internal and external auditing, he says.

Related Content:

• 2017 Security Predictions through the Rear Window
• Network Printer Scanner Spoofing Campaign Targets Millions
• Block Threats Faster: Pattern Recognition in Exploit Kits
• 9 Banking Trojans Trends Costing Businesses in 2017

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/etherdelta-hack-begins-rocky-weekend-for-crypto/d/d-id/1330709?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ancestry’s RootsWeb.com server, which hosts a free genealogical community site, exposed a file containing emails, login information, and passwords of 300,000 users, Ancestry stated in a blog post over the weekend.

An outside researcher informed the company of the exposed file on Dec. 20, according to Ancestry.  And while the 300,000 accounts were affiliated with RootsWeb.com’s surname list service that it retired earlier this year, 55,000 of the user names belonged to both the free RootsWeb.com site and also to Ancestry.com, which charges for some of its genealogical services.  

The company noted that 7,000 of the emails and log-in credentials belonged to active Ancestry.com users.

RootsWeb does not host sensitive information like credit card and social security numbers, the company stated, further noting it has “no reason to believe that any Ancestry systems were compromised.”

The company is currently in the process of notifying all affected customers and is working with law enforcement on the matter. Ancestry.com subscribers who had their information exposed will need a new password to unlock their account, according to the company. Additionally, RootsWeb.com has been taken temporarily offline to enhance its infrastructure, the company notes.

Although the company is seeking to retain all the data on RootsWeb.com, it notes it may not be able to preserve all the user-supplied information that is hosted on the free community site. However, RootsWeb’s email lists will not be affected by the temporary shutdown of the site, according to a report in the Legal Genealogist.

Read more about Ancestry’s security incident blog post here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/exposed-file-from-ancestrys-rootswebcom-contains-data-on-300000-users/d/d-id/1330710?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s no secret that I’ve long held a dim view of the security predictions that invariably bombard our feeds and social media accounts every December. In years past, I made a point to write up an article using a list of predictions from a blog post 10 years earlier. The catch here was that the list read as an indictment as opposed to a prediction. Of the list of 10 security issues, eight  remained relevant a decade after they were posted.

The practice of making predictions often brings to mind the image  of a palm reader or medium saying, “I’m seeing a security breach for a company that starts with … A … B?” This may seem a little cruel, but I can’t help to draw a parallel with Alfred Hitchcock’s Rear Window. The protagonist of the film — confined to his apartment in the summer heat — pieces together a crime from the bits and pieces that he sees unfolding in the apartment across the way from his rear window. This view feels familiar as we talk about security issues in bits and pieces as found in security predictions.

If you pull all of the predictions together, they start to paint a more vivid picture of the issues that security practitioners face every day. As the end of the year drew closer, I couldn’t help but wonder how the palm readers fared with their 2017 proclamations, so I took a sampling of some of the lists that I could find online. They discussed a wide range of topics such as these:

1. Ransomware will continue to be a problem.
2. Security blame will continue as one of the least popular games.
3. Mobile will continue to rise as a point of entry.
4. The Internet of Things (IoT) will continue to haunt the security threat landscape.
5. At least one major safety incident will be caused by an IT security failure that will cause injury.

It strikes me that these security predictions, by and large, are so poorly defined that they could easily be claimed to be correct with a thinly veiled argument. If someone stands on a stage and declares that “water is wet,” there invariably will be someone who chin wags that yes, indeed it is.

When I look at this loose collection of five predictions, it is easy to say yes, they are indeed true, but they were all safe bets. Ransomware isn’t going to suddenly disappear. The blame game is part of human nature and it will continue on as long as we have opposable thumbs.

Mobile security will rise as an entry point isn’t far off correct in hindsight. When you look at the research from Akamai (full disclosure: that’s my day job) and other companies on the discovery of the WireX botnet, this was a distributed denial-of-service botnet that was based on mobile devices running Android. This was a platform built out using roughly 300 compromised applications in the Google Play store and which infected thousands of customers.

The one prediction on the list that caught my eye and might have some actual substance is the last one, about a major safety incident. To be fair, the writer had said that this might happen in the next four years, granting him some serious wiggle room. Because I spent nine years working in the power systems industry, this is a fear I hold, too. There is always a danger that someone could die as a result of a power failure, for one example.

When we look at the rise of self-driving cars and similar IoT-related vehicles, there certainly is a chance that something could go horribly wrong. I don’t say this to stir up fear, but we need to make sure that the companies making these products take security very seriously. There has been no shortage of reporting on vehicle security research, from distribution of firmware updates to communications, and there are many avenues that need to be addressed because of potential adversaries. This is definitely one prediction that I truly hope isn’t something that comes to pass.

If people truly want to make predictions, they should make ones that cause them to put their reputations on the line. Don’t make predictions that are merely safe bets. Better still, make a list of things that a company should be doing to better secure enterprises. That would have far greater value to those of us who are diligently working to defend our patch while attempting to avoid being thrown out the window by our very own Lars Thorwald.

Related Content:

• Emerging IT Security Technologies: 13 Categories, 26 Vendors
• Inhospitable: Hospitality Dining’s Worst Breaches in 2017
• The Rising Dangers of Unsecured IoT Technology

Dave Lewis has over two decades of industry experience and has extensive experience in IT operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the … View Full Bio

Article source: https://www.darkreading.com/mobile/2017-security-predictions-through-the-rear-window/a/d-id/1330655?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Spoofed emails purportedly coming from HP, Canon, and Epson network printer-scanner devices are attempting to infect millions of users with malicious attachments, according to Barracuda.

The attempts began in late November with the attackers sending bogus emails that read “Scanned from HP,” “Scanned from Epson,” or “Scanned from Canon,” in the subject line, Barracuda researchers note in a blog. The attackers use PDF files to carry their malicious payload, because employees will typically send a PDF file from a network printer to their co-workers, Barracuda notes.

Attackers have attempted to avoid detection by modifying file names and extensions from within the traditional file archive. This allows the attackers to hide the malware inside the archive and imitate a .jpg, .txt, or other file format.

Once the attachment is opened, the attackers can gain remote access to users’ computers and check for network-connected systems.

Read more about the spoofed network printer-scanner campaign here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/network-printer-and-scanner-spoofing-campaign-targets-millions/d/d-id/1330705?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Have a hankering to see the world but don’t have the budget for it? Not to worry.

People who are not averse to bending a few rules—okay, breaking them—have plenty of options for low-cost travel and holidaying courtesy of a thriving underground market for illegally obtained travel services.

Cybercriminals, never ones to miss an opportunity to make a quick buck, have assembled an impressive portfolio of travel options paid for using stolen credit cards, hacked loyalty program accounts, and fraudulent redemption of coupons, discounts, and free offers, says Trend Micro.

The security vendor took a look at the cybercriminal underground and found services offering everything from deeply discounted airfares, hotel rooms, car rentals, and cab fares to fraudulent travel documents and passport modification services.

For example, a Los Angeles based traveler wishing to see a soccer game at the 2018 FIFA World Cup can get a round trip ticket to Moscow for $500—about 50% off the actual price—and pay another $60 to get a hotel for two nights, at about 60% off the regular price.

A Madrid-based couple could show their two kids a magical time at a Disney World Resort in Orlando for two days for a mere $1,100. The price would include round-trip airfare tickets for the four, two rooms at a Walt Disney resort and four park-hopper tickets to all four Disney World parks—each of which alone would otherwise go for $170 for adults. For around $240, a Moscow resident could get a round trip flight and two-day stay at Santorini in Greece, and for about $300 more, visit the Great Wall in China.

“Stolen credit cards are being used to pay for these travel services,” says Jon Clay, director of global threat communications at Trend Micro. “By using a stolen credit card to buy plane tickets, it’s free for the criminal, so they can offer it at a discount to others.

In other instances, hackers employ credential stealing to hack into and take control of a loyalty account to buy something. “If it is a plane ticket or hotel room, they would purchase it under a name they have identification for, like a fake passport,” Clay says. For prices ranging from roughly $120 to $365, an individual can purchase loyalty accounts for posh five-star hotels and redeem the points in them for free nights and other goodies.

Another scam involves fraudulently using corporate accounts to get discounted hotel rates. Because hotels typically ask individuals who claim a corporate discount for their ID, underground services are available that sell fake corporate ID cards bearing the names of some of the most recognizable multinational entities.

Criminals, using things like compromised mobile devices or someone else’s breached Uber account, are able to offer cab rides and ride-shares in major cities at a fraction of the regular cost, Clay says.

Trend Micro also discovered numerous underground sites and forums offering fraudulent documents for travelers. Among them was one Russian operator offering blank and fully filled Ukrainian passports from between $1,500 and $1,600. The vendor also uncovered passport modification services at prices ranging between $510 and $1,100.

Clay says Trend Micro estimates such fraud is costing the travel industry billions in losses. The airline and hotel industry alone are losing potentially $1 billion each from cyber-related fraud, he says.

“Considering the amount of money being lost to this type of fraud, it seems like this is a crime that is not well-detected,” Clay says. There are numerous instances of fraudsters being caught when trying to use illegally obtained flight tickets, hotel bookings and other travel services. “But the numbers overall show that this is a successful method for criminals,” Clay says.

Related content:

• Shopping the Russian Cybercrime Underground
• Darknet: Where Your Stolen Identity Goes to Live
• Cybercriminals Regularly Battle it Out on the Dark Web
• Brazen North American Cyber Underground Offers DIY Criminal Wares For Cheap

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/hit-the-cyber-underground-for-the-hottest-travel-deals-/d/d-id/1330704?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple