STE WILLIAMS

The update repairs vulnerabilities that could lead to very effective phishing messages.

Microsoft has released an out-of-cycle update for SharePoint to close previously undisclosed vulnerabilities. The vulnerabilities, CVE-2019-1442 and CVE-2019-1443, could allow an attacker to upload specially crafted files that would bypass validation and security to request credentials from the recipient. In both cases, the result would be an especially effective phishing campaign because the messages would come from within the victim’s organization.

The update also includes fixes for a number of non-security issues, including malformed and misdisplayed HTTP message components and misleading date information that could result from certain document creation sequences.

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Manage API Security.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-issues-out-of-cycle-sharepoint-update/d/d-id/1336660?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Proactively consider tools to detect anomalous behavior, automatically remediate, and segment threats from moving across the network.

Over the past two years, ransomware attacks have increased in frequency and severity. In 2019 alone, the attacks have crippled manufacturing businesses, brought hospitals to a halt, and even put lives at risk.

It’s no wonder that many organizations are putting ransomware prevention and response planning at the top of their priorities list for 2020. And those that aren’t probably should consider what more they can do to better prepare their organizations against these types of attacks.

The time to put measures in place is not after an attack has already taken place. I’ve worked with many organizations scrambling in the aftermath of a breach, but this can be avoided if you proactively consider tools to detect anomalous behavior, automatically remediate, and segment threats from moving across the network to limit an attack’s reach.

Here are five things organizations should consider as part of their security resolutions in 2020:

1. Basic Cybersecurity Hygiene: Improving basic cybersecurity hygiene is the No. 1 defense against any type of attack, including ransomware. This is the cybersecurity version of many people’s New Year’s resolution to “get healthy.” Cybersecurity hygiene can mean a lot of different things, but a good place for companies to start is by making sure they have strong vulnerability management practices in place and that their devices have the latest security patches. They can also make sure they are taking basic security precautions that are often also important for regulatory compliance, like running up-to-date antivirus software or restricting access to systems that can’t be made compliant. Ultimately, however, for most organizations, starting with CIS Control 1, Inventory and Control of Hardware Assets, will establish a good foundation upon which to build.

2. Penetration Testing: Companies that already have much of the basic hygiene in place can take the additional step of engaging pen testers to further ensure that anything Internet-facing in their organization is protected. By finding what means or mechanisms attackers could hack or brute-force an attack to gain access to applications or internal systems by bypassing other protections such as firewalls, security leaders can fix those areas before bad actors find them. 

3. Board Discussions: Cybersecurity is increasingly becoming a board of directors-level issue. That’s because an attack can have a significant impact on a company’s revenue, brand, reputation, and ongoing operations. However, it’s worth having a specific board-level conversation about ransomware to ensure they understand the specific risks it could pose to the business, and that there is budget made available to prevent or limit the damage of an attack. That discussion will prove critical if the company wants to implement added protections, such as improved cyber hygiene, or put in place automated reactive technologies to limit the spread of an attack. If the CIO or CISO is not already regularly having these conversations about cybersecurity or ransomware in particular, that’s definitely a good place to start for 2020.

4. Tailored Training: There is one vulnerability that has proven effective again and again as an entry point for attack: people. You can buy all the latest and greatest cybersecurity technology, but if you aren’t training your employees in basic cybersecurity or how to respond during an attack, then you’re leaving yourself vulnerable. Training to prevent ransomware starts by teaching employees to recognize phishing attacks and what to do if they suspect one. This is important because — even though many users have gotten better — phishing remains one of the most effective ways for an attacker to breach an organization. Teaching users to validate URLs or avoid clicking on links or attachments altogether can go a long way toward protecting against all types of attacks. This is a good practice to start or revisit in 2020.

In addition to preventing an attack, security leaders can also think about adding specific training for ransomware response. It’s pretty easy for an employee to know when they’ve been hit with ransomware — their work screen may go away and they may get a pop-up directing you to a URL to pay the ransomware (likely in bitcoin). Training employees in what steps they can take in response or giving them an emergency point of contact on the security team can make them feel more in control in the panic of an attack.  

5. Limit the Scope of an Attack: Ransomware resolutions should include not only preventing an attack but also taking steps to minimize the damage of a successful one. That starts with having tools in place, such as SIEM systems that can identify the behavior patterns and heuristics of an attack and begin to automatically isolate and remediate those systems when indicators are flagged. It also means embracing tools such as network segmentation that can prevent the lateral movement of an attack across the network.

• 13 Security Pros Share Their Most Valuable Experiences
• Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
• Sodinokibi Ransomware: Where Attackers’ Money Goes

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Manage API Security.”

Spanning a 20-year career as an accomplished and well-respected Systems Engineer, Shawn Taylor’s strong mix of technical acumen, architectural expertise, and passion for operational efficiencies has established him as a trusted adviser to ForeScout’s customers since joining … View Full Bio

Article source: https://www.darkreading.com/application-security/5-security-resolutions-to-prevent-a-ransomware-attack-in-2020/a/d-id/1336610?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you’re entering a username and password to give an app access to a G Suite account, beware: you won’t be able to do it for much longer.

Google is changing the way that it grants third-party apps access to G Suite accounts as it tries to improve security. It is weeding out what it calls ‘less secure apps’ (LSAs) by denying them access to its services.

Google defines secure apps according to a rigid set of security standards. To be considered secure, a third-party app must let you see what level of account access you are giving it before you connect it to your Google account. The app must also let you access only the parts of your Google account that you want, such as your email or calendar, without giving it access to everything else. It must allow you to disconnect it from your Google account at any time, and it must let you connect it to your account without exposing your Google password.

Apps that don’t meet these security criteria are considered less secure, and on 29 July 2019, the company announced it would begin limiting access to G Suite accounts from those apps beginning on 30 October. On that date, it began removing an option for G Suite administrators to ‘enforce access to less secure apps for all users’. That meant admins could no longer just wave through less secure apps at the domain level. Instead, users would have to grant access to these apps themselves if admins let them.

That move was due to be complete by the end of this year. Now, the company is moving on to the next step: restricting access to account data for LSAs. Because these apps rely on insecure password technology to access sensitive Google account data, the company will be cutting off their ability to access G Suite account data altogether. It will happen in two stages. After 15 June 2020, users who try to connect the Google accounts to an LSA for the first time won’t be allowed to, but those who have already connected to LSAs before that date will still be permitted.

That grace period won’t last forever, though. After 15 February 2021, access to LSAs will cease for all G Suite accounts, even those that were already using them.

All this is bad news for apps that rely on password access to exchange data via protocols like CalDAV, CardCAV, IMAP, and Google Sync (in other words, legacy calendar, contact, and email apps). Apps that rely on passwords to gain access to Google accounts so that they can exchange data using these protocols will suffer. Instead, Google wants people to use OAuth.

OAuth

OAuth is an authentication mechanism that lets a third party authority grant an application access to a service on the user’s behalf. There are two versions: OAuth 2.0, which isn’t compatible with OAuth 1.0, is the de-facto standard. It’s what Google supports.

An OAuth 2.0 app will send a request to an authorisation server or AS (in this case, run by Google). The request includes information about the bits of the account that the app should have access to. The AS sends a consent dialogue to the user, telling them what the app will and won’t be allowed to do. If the user agrees, the AS sends a token that the app can use to log into the user’s G Suite account.

OAuth 2.0 satisfies Google’s security criteria because it demands that the app request only allows access to specific things. It also makes it use a token rather than a password, and it allows that password to be easily revoked. That makes it better for security than entering a password into your app that you might have used elsewhere, or hard coding an API key into a web form somewhere and forgetting about it. When app developers implement it, it will also be more convenient for users.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cmm98FFm0vQ/

Somebody really needs to write a rap about yobs who show off piles of loot in their social media feeds.

The alleged crook du jour: Arlando M. Henderson, 29, of Charlotte, North Carolina, whom the FBI has arrested and charged with supposedly stealing more than $88,000 smackers from the vaults of his employer, Wells Fargo Bank.

If he’s innocent, Henderson is going to have to explain why his Instagram rap shows him holding an AK-47 and large stacks of cash… and how in the world he found the wherewithal to pick up that Mercedes-Benz in his Facebook posts.

On Friday, the US Attorney’s Office for the Western District of North Carolina said that the FBI arrested Henderson on 4 December in San Diego and charged him with stealing cash from Wells Fargo’s bank vaults, from deposits made by its customers, and with using some of that beautiful green spray-o-cash…

 

…for a down payment on the sweet Mercedes-Benz, and then lying to get a car loan to pay the balance. He allegedly convinced the loan company that he was good for the dough by showing them bogus bank statements.

The indictment (posted courtesy of The Register) alleges that Henderson stole cash from the bank vault at least 18 times during 2019. He allegedly made cash deposits at an ATM near his workplace on the many days that he allegedly stole money.

To cover up his tracks, Henderson also allegedly destroyed some documentation and cooked up false entries in the bank’s books and records – or got other people to do it for him.

He’s charged with two counts of financial institution fraud; 19 counts of theft, embezzlement and misapplication; and 12 counts of making false entries, which carry a maximum penalty of 30 years in prison and a $1,000,000 fine, per count. He’s also looking at a charge of transactional money laundering, which carries a penalty of 10 years in prison and a $250,000 fine. Maximum penalties are rarely handed out, however.

Blabbers gonna blab, blab, blab, blab, blab

Gangsters (or alleged gangsters) using social media to brag about their crimes (or their alleged crimes) is nothing new… just ask the 63 (alleged) gang members who got arraigned in New York after spoon-feeding police with allusions to their alleged crimes, served up in posts on Twitter, Facebook and YouTube.

Fortunately, they don’t seem to be smart enough to know that police use social media, in spite of examples such as Hannah Sabata, a US woman arrested in 2012 for robbing a bank after posting a YouTube video about robbing a bank.

Nor, for that matter, do they seem to read news accounts or even listen to the grapevine, which might have tipped them off that police monitor Facebook to get status updates on, for example, “break-in day” in Brooklyn.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p6aXmWhhdnc/

Good news for Firefox users interested in turning on the browser’s DNS-over-HTTPS (DoH) privacy feature – they now have two providers to choose from.

The first, of course, is Cloudflare, which Mozilla partnered with during the two-year development and testing of its DoH service, finally turned on for users in September.

Not all Firefox users were at ease with this – entrusting DNS privacy to a single company felt like a risk no matter how many assurances were being offered.

By adding a second provider, startup NextDNS, founded in May 2019, Mozilla has not only added an alternative but got its promised Trusted Recursive Resolver program (TRR) off the ground. The TRR matters because, as Mozilla says:

DoH’s ability to encrypt DNS data addresses is only half the problem we are trying to solve. The second half is requiring that companies with the ability to see and store your browsing history change their data handling practices.

In other words, just encrypting DNS queries to make it more difficult for ISPs and governments to snoop on website visits won’t mean much if the company offering the DoH service hasn’t itself signed up to a robust privacy policy.

It’s rather like VPNs, which many people use for security, privacy and to dodge geo-blocking only to discover that many providers (typically the free ones) are collecting private data to sell on to advertisers.

Mozilla’s TRR program requires that DoH resolvers, among other things:

• Only collect data (e.g. IP addresses) for the purposes of running the service and don’t keep it for longer than 24 hours.
• Publish a privacy policy explaining this.
• Do not block, modify or censor websites unless required to by law.

PiHole-as-a-Service

Interestingly, NextDNS users who sign up for an account are given control over what gets blocked and what doesn’t, including being able to create domain allow/blocklists, and sign up for a range of public advertising/tracking and filtering lists.

They can even block specific applications as well as view traffic logs. This level of control is very unusual for a DNS resolver of any type while ISPs normally do it behind the user’s back.

It looks very like a cloud implementation of the PiHole, a Raspberry Pi-based network adblocker and DNS server but without the technical intrigue of setting that up for yourself.

That NextDNS has built its service this way suggests the company spies the possibility that DNS and DoH resolution could one day become a more general privacy system, competing with things like adblocking.

We noticed some wrinkles.

For example, NextDNS offers apps to configure the service on Windows, macOS, Linux, Android, and iOS, which is impressive. But when we downloaded these we were hit by warnings from Windows Defender and Google’s Play Protect warning us against installing or running them.

In Firefox v71, DoH settings can be accessed via Options type ‘DNS’ in search bar Connection Settings Enable DNS over HTTPS.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jIAyGMDzDjE/

Sure, we all know that ripped-off payment card details – like these! – sell like hot potatoes on the dark web, where carders snap them up, slap them onto new cards, and go on mad spending sprees on somebody else’s dime.

But exactly how fast do hot potatoes get sold?

Two hours, it turns out. That’s how long it recently took somebody – or something, if it turns out to have been an automated bot – to find, and use, a credit card posted by a security researcher.

David Greenwood, from ThreatPipes, says he decided to run an experiment on how long it would take thieves to find his card, motivated as he is by the fact that he’s been bedeviled by e-thieves who keep poking at it:

In only two years, there have been 4 attempts to use my credit card fraudulently.

The cyber-crime headline writers are not struggling for work.

Greenwood got curious about the life cycle of stolen data. He wondered, how does data such as credit and debit card information propagate across the internet, including on the dark web, where carders conduct their dirty work?

Dirty work, as in, buying stolen payment card details, putting all the legitimate card details onto the fresh magnetic stripe of a blank card, and thereby cloning the card so they can use the counterfeit to buy themselves some bling.

So Greenwood picked up an anonymous, prepaid credit card, and he set to work at trying to do what crooks do: sell that tasty tidbit.

Oh, these cautious crooks

Unfortunately for his experiment, Greenwood says that he lacks a reputation as a carder, or a thief, or, really, as any kind of rascally wrongdoer. That’s not good if you’re trying to pass yourself off as a trustworthy purveyor of stolen goods in the web’s dark alleys.

Frustratingly, you can’t just start selling this information on dark web forums. You need a reputation. You need people to vouch for you.

So instead of trying to sell his credit card, he just gave it away for free, lock, stock, and barrel, along with a bunch of fake locks, stocks and barrels, lumping dummy credit card data in with his real data and dumping the whole thing onto multiple paste sites.

I dumped the complete package to various paste sites including; full card numbers, expiration dates, CVV codes, and billing address.

Bundled in my paste were a variety of fictitious card numbers I made up based on MasterCard and Visa formats.

And then he waited. For about two hours.

That’s how long it took for the bait to be nibbled on, with one of those small transactions made by fraudsters’ bots and scripts. The crooks test whether the payment card information is valid, by using a stolen card on merchant sites that automatically respond with a detailed reason for why a given card is declined.

Two hours was actually pretty slow, Greenwood said. The prepaid card was eventually used at the site for a well-known UK British retailer.

Payment card data isn’t the only hot potato out there, Greenwood noted. You’ve got the same army of bots and scripts out there looking for whatever they can get, waiting to sniff out things like…

• Sensitive internal company data (documents, emails…) which come in handy for crooks looking to pull off sophisticated Business Email Compromise (BEC) scams like this one.
• Network data (exposed ports, misconfigured SSL certificates…)
• Accidental or intentional data leaks (API keys, usernames and passwords…)

All of which present a slew of things you need to secure. When it comes to your payment cards in particular, here are two words of advice: Act fast!

Check your statements

Doing some things once in a blue moon isn’t good enough, be it flossing your teeth or checking your financial statements for fraudulent charges. Regularly checking means you’ll spot fishy charges before they cling to you.

We the consumers aren’t typically held responsible for fraudulent activity – but only when we report bad charges in a timely fashion. Don’t delay, if you don’t want to get stuck paying for somebody else’s baby lions and/or Lamborghinis.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Kw0AyB4E8_0/

Remote access, collaboration and password manager provider LogMeIn has been sold to a private equity outfit for $4.3bn.

A consortium led by private equity firm Francisco Partners (along with Evergreen, the PE arm of tech activist investor Elliott Management), will pay $86.05 in cash for each LogMeIn share – a 25 per cent premium on prices before talk about the takeover surfaced in September.

LogMeIn’s board of directors is in favour of the buy. Chief executive Bill Wagner said the deal recognised the value of the firm and would provide for: “both our core and growth assets”.

The sale should close in mid-2020, subject to the usual shareholder and regulatory hurdles. Logmein also has 45 days to look at alternative offers.

In 2018 LogMeIn made revenues of $1.2bn and profits of $446m.

The company runs a bunch of subsidiaries which offer collaboration software and web meetings products, virtual telephony services, remote technical support, and customer service bots as well as several identity and password manager products.

Logmein bought LastPass, which now claims 18.6 million users, for $110m in 2015. That purchase raised concerns about exactly how LastPass’s new owner would exploit the user data it held, and today’s news is unlikely to allay any of those fears.

The next year, LogMeIn merged with Citrix’s GoTo business, a year after its spinoff.

The official statement is here. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/18/log_me_in_acquired/

BlackBerry, the former phone handset company, has accused rival security business SentinelOne of systematically poaching its top talent during a court hearing in central London where the Canadian company tried to block a salesman from jumping ship.

“Sentinel[One] is a direct competitor of Blackberry Cylance,” declared Blackberry UK’s barrister Julian Wilson in the Royal Courts of Justice last week. “The companies sell comparable products… the market regards these products as interchangeable.”

The case was brought over Lloyd Webb, Cylance’s EMEA veep of sales engineering. Webb wants to join SentinelOne. Blackberry UK, as legal owner of Cylance’s UK operations, wants to stop him from doing that because, it claims, he will take confidential business knowledge with him and use it for SentinelOne’s advantage.

Webb is resisting Blackberry’s attempt to stop him from taking up a similarly senior sales engineering post with SentinelOne. The latter company was formed in 2013, while Blackberry has been around for many years. Two years after making a decision to stop designing and making its own handsets in September 2016, BlackBerry bought Cylance in 2018 for $1.4bn. This was part of the firm’s larger push into the enterprise security market beginning in 2013 and culminating in the formation of its cybersecurity Services division in 2016 (PDF).

At last Friday’s preliminary hearing in London’s Royal Courts of Justice, Wilson continued: “The claimant [Blackberry UK] says Mr Webb was in such a senior position with so much exposure to, firstly, its sensitive technical information about its products, and, secondly, its strategic sales information. That if he were to immediately start in what would be an equivalent role at Sentinel, a direct competitor, he would inevitably make use of the confidential information in his head about the claimant’s products on which he has worked for four years.”

The case hinges on non-compete covenants in Webb’s contract of employment. His barrister, James Gibbons, argued strongly that BlackBerry ought to be entering mediation rather than pressing on with court hearings to block Webb from taking up a similar post with SentinelOne.

BlackBerry’s barrister said: “We know from US proceedings [SentinelOne] has recruited three very important individuals and you’ll have seen the allegations that are made, there is a real risk they’ve taken confidential information with them. I don’t put it any higher than that.”

One of those American cases was reported by US legal newswire Law360 in October.

Webb was also alleged by Wilson to have “wiped the contents of his company laptops before he returned them,” something he said Blackberry saw as “not innocent” while stressing “we don’t put it any higher than that”.

Arguing for “ADR” (alternative dispute resolution) on behalf of Webb, his barrister Gibbons also said some of BlackBerry’s evidence contained “material inaccuracies… demonstrably so”. Referring to a witness statement from a Mr Thomson, he read out a part describing how one Scott Scheferman was injuncted in the US to stop him jumping from Cylance to SentinelOne.

Thomson, author of the witness statement, had made a mistake, said Gibbons. In a correction to his statement, Thomson was said to have accepted that Scheferman “wasn’t actually enjoined [injuncted]” from joining SentinelOne, saying: “It was unfortunate that he [Thomson] was not able to, in his witness statement dated I think either 29th November or 5th December, I can’t remember which – it should have been disclosed that the order was discharged. That is an inaccuracy in a peripheral matter but is part of their [BlackBerry’s] case.”

Deputy High Court judge Hugh Mercer QC, sitting up on the bench, frowned at this. “I don’t think it’s peripheral… A campaign is implicit in the fact that three people were poached in the US.”

“Also part of that suggestion [is] that they’re all being stopped from competing,” rejoined Gibbons. “[It is a] positive assertion that other courts have stopped them from competing and that’s wrong, it’s completely wrong.”

Gibbons also complained that BlackBerry had put several hundred working hours into its application before dropping it on Webb, whose lawyers only had time to put 30 hours of work into his response before the hearing, arguing that his client needed more time to fully respond.

Granting Webb’s application to adjourn the hearing until January, Judge Mercer said: “In my judgment it is fair that the defendant be granted a proper opportunity to prepare their evidence in order to respond to the application which is being made before me today.”

A speedy trial date is expected to be set for January or February next year. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/18/blackberry_sentinelone_non_compete_salesman_lawsuit/

Facebook, Google named worst password breach offenders.

What do President Donald Trump, the word “password,” and string “12345678” have in common?

All fell in the ranks of SplashData’s annual Worst Passwords of the Year list, published today. After making an appearance in the 2018 list, “donald” is not among this year’s top 25 most dangerous and commonly leaked passwords. “Password,” which has held first or second place in the nine years SplashData has been ranking risky passwords, has fallen into fourth place, and “12345678,” previously number four, came in sixth.

The company evaluated more than 5 million passwords leaked on the Internet to compile this year’s list. In first place was “123456,” holding the top spot from last year, followed by “123456789” and “qwerty.” While it’s positive to learn people are less frequently using “password” to secure their accounts, SplashData says, it warns many continue to employ easily guessable words and alphanumeric patterns. Many modern websites and applications prevent these simple passwords from being used; however, some older ones still allow it.

There were a few consistent passwords on this year’s list, among them “princess,” “iloveyou,” and “welcome.” New entries included “1q2w3e4r” and “qwertyuiop,” which may seem complicated to some but likely won’t trick hackers who can guess simple keyboard patterns.

Everyone, from consumers to high-profile tech companies, should be reconsidering their password practices. Facebook and Google were among the major corporations that made Dashlane’s fourth annual list of “Worst Password Offenders,” also published this week. The list highlights prominent people and organizations that experienced password blunders in 2019.

Facebook took the top spot following incidents in which it exposed passwords of hundreds of millions of users and breached privacy by requesting new users’ email passwords and collecting contacts without consent. For years, we learned, Facebook stored account passwords in plaintext on internal data storage systems. The company also left a server unprotected sans password, exposing the phone numbers and records of more than 400 million people.

Google came in second. This year the tech giant admitted to accidentally storing some G Suite users’ passwords in plaintext since 2005. As Dashlane points out, incidents like this can have major implications for companies and their users if attackers get their hands on passwords.

Other mentions on the list include Lisa Kudrow, who took third place for posting an Instagram photo that had a Post-it with her password in the background. Congressman Lance Gooden was caught on camera unlocking his iPhone with passcode “777777” during the televised testimony from Mark Zuckerberg before the House Financial Services Committee. And WeWork made the list for using the same weak password across its entire global Wi-Fi network. Dashlane’s list also included Elsevier, Virgin Media UK, GPS Trackers by Shenzhen i365 Tech, and Ellen Degeneres.

Related Content:

• Assessing Cybersecurity Risk in Today’s Enterprise
• Rethinking Enterprise Data Defense
• 10 Notable Cybersecurity Acquisitions of 2019, Part 2
• Facebook Fixes WhatsApp Group Chat Security Issue

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Manage API Security.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/application-security/password-falls-in-the-ranks-of-favorite-bad-passwords/d/d-id/1336652?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s easy to get overwhelmed in your new position, but these tips and resources will help you get started.

You’ve just been hired as your company’s new CISO, and immediately, you’re tasked with forming the company’s information security program. So, how do you begin? As I completed my first month as the chief information security officer at Axonius, I found myself reflecting on what I’ve learned and done when it comes to that question, and here are a few tips based on my experiences so far.

As with any significant undertaking, it makes sense to begin by understanding the current state of the security program and the context in which you’ll manage it. Start by covering the following:

• Risks: What security concerns do you, your colleagues, and your customers have? What gaps exist, and how might they affect the business? Sometimes figuring this out requires a formal assessment. Other times, it may require an informal survey, conversations with colleagues, and analysis to get to a sufficient starting point. I was fortunate to become the CISO after holding another role at Axonius, but there were many questions that my new position required me to ask that I hadn’t asked before.
• Expectations: What expectations does the organization have of the security program and your role? Account for your own ideas and, of course, get input from your manager and other stakeholders. When outlining the goals, understand the business and technical needs that will influence the security program. You can see my objectives at Axonius, if you’re curious.
• Situation: Get to know the technical and business environment in which you’ll be operating. This often begins with an IT asset inventory to understand the devices, users, and software that makes up your company’s ecosystem. Also, include in your situational awareness non-technical components, such as team dynamics, politics, and culture.

Your initial assessment of the current state will help you define not only the longer-term strategy for the security program but also the tactical projects you can start right away. Look for relatively easy wins that:

• Mitigate some of your high-severity risks, so you begin improving the company’s security posture.
• Implement essential security measures, so you lay the foundation for the rest of your security program.
• Address the challenges important to your colleagues or customers, so you start building goodwill and showing value.

Balance the need to work on these tactical projects with the necessity for a more formalized, strategic approach to establishing a security program. Several control frameworks can help you combine your own prior experience with that of other practitioners to achieve this.

While there is no shortage of the methodologies you can use, here are the ones I found most helpful so far:

• Security4Startups Control Checklist: This open source checklist, initially compiled by several CISOs, offers a convenient starting point for young companies that aren’t sure where to begin. It helps confirm that you implement essential measures related to identity and access management, infrastructure security, application security, resiliency, and governance. I found the checklist useful for confirming I didn’t miss any important categories of security measures.
• Cybersecurity Defense Matrix: This handy table defines a structure for organizing your security capabilities related to devices, applications, networks, data, and users. The matrix helps you capture the measures you have (or want to have) across the functions mentioned in the NIST Cybersecurity Framework: Identify, protect, detect, respond, and recover. I used the matrix to identify the roles that various security technologies might play at Axonius, but that’s just one approach to using it.
• CIS Controls: This practical guide catalogs the security measures that can defend against common cyberattacks. The framework, which has had a chance to mature over several years, accumulates advice from many security practitioners. It includes suggestions for selecting the controls according to the maturity of your security program and proposes metrics for measuring your progress. For a mapping between CIS and other frameworks, see the AuditScripts Critical Security Controls Master Mapping spreadsheet.
• NIST Cybersecurity Framework: This detailed framework offers one approach to structuring a formal security program. It includes a long list of categories of security measures along with the corresponding subcategories. It even provides pointers to the relevant details you can get from other frameworks, including CIS Controls, NIST SP 800-53, and the mighty ISO/IEC 27001. I found the NIST framework overwhelming when I first looked at it, so I’m taking care to pursue it in portions, not all at once.

If you’re in a regulated industry or have specific customer commitments, you’ll probably need to account for other frameworks, but that goes without saying.

Your first month as the CISO can (and probably should) focus on understanding the current state and laying the foundation for the formal security program. Yet, don’t spend all your time merely planning and strategizing. Use the energy of the new role to start adjusting the appropriate processes and deploying the necessary technologies in support of your vision.

• Security Leaders Share Tips for Boardroom Chats
• 5 Tips for Keeping Your Security Team on Target
• Success Enablers or Silent Killers?
• Employee Privacy in a Mobile Workplace

Lenny Zeltser is Chief Information Security Officer and was previously VP of Product at Axonius. Prior to Axonius, Zeltser led security product management at Minerva Labs and NCR. Before that, he spearheaded the US security consulting practice at a leading cloud services … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/your-first-month-as-a-ciso-forming-an-information-security-program/a/d-id/1336594?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple