STE WILLIAMS

Ever toyed with the idea of selling stuff on Amazon’s Marketplace? Many people do, some offering new goods for sale as a full-time occupation while other use it to get rid of second-hand items such as books they have lying around.

Integrated into the Amazon steamroller, it’s a powerful retail concept that also earns Amazon commission, of course. But as a recent spate of account takeover attacks underline, opening a Marketplace third-party account for even the most modest level of sales carries risks people need to understand and plan for.

There is no room for complacency here. As some unfortunate sellers are discovering, if a hacker breaks into a Marketplace account, its legitimate owner can be left with a time-consuming heap of woe.

Marketplace attacks aren’t new, but their scale seems to have shifted up a gear recently, with The Wall Street Journal quoting a lawyer acting for a dozen clients who claim to have lost sums ranging from $15,000 to $100,000 to fraudsters.

Painfully, in some cases victim Marketplace sellers could see the frauds happening in real time via email alerts but could do nothing about it until after their accounts had been ripped off.

Ridiculously, there is a reliable defence against this kind of hacking but before we explain what that is, we’ll first describe how these attacks seem to have happened because that’s an important part of the story.

There appear to be two forms of attacks, the first targeting Marketplace accounts with significant turnover; the second attacking small ones that are dormant and whose owners might not be paying attention.

For larger accounts, the fraud involves breaking into them and then diverting funds to the criminal accounts by changing bank details. For occasional sellers, fraudsters list and take payment for non-existent goods, which the real account-holder is held accountable for when they don’t turn up.

Once fraudsters have control of an account, getting it back requires the owner to work through Amazon, a process that can take days. The company does say:

We withhold payment to sellers until we are confident that our customers have received the products and services they ordered.

In the case of goods fraud sold as a four-week delivery, that still leaves sellers holding the bill for undelivered items until the mess is sorted out.

How are fraudsters getting into accounts? In some cases, reportedly by re-using credentials breached from other sites, while in others some form of phishing attack is not out of the question.

The first defence, then, it not to re-use passwords across accounts, a form of behaviour called”‘credential stuffing”. Doing so on something as important as a Marketplace account is begging for trouble.

Next, turn on Amazon’s two-step verification system (something all Amazon users should do). This was launched for US users in 2015 but has only recently been turned on for UK users too under Login and Security Settings Advanced Security Settings.

This sends a one-time SMS verification code to the user’s registered phone. Alternatively, for anyone worried about SMS reception, Amazon offers an authenticator app to generate the same.  Marketplace users should also set up email notifications as this could give an early warning that an account is being misused. Arguably, two-step verification should be mandatory.

Never underestimate the risks these sorts of accounts (including eBay and PayPal) bring. Embrace Marketplace selling with eyes wide open.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SAKpEojVdG0/

Computer scientists at the University of California, San Diego, and Google, are clamping down on fake businesses trying to scam victims through Google Maps.

Most Google search results are influenced by your physical whereabouts. Googling restaurants, movie theaters, or hairdressers runs up a list of businesses Google Maps believes are nearby. Scammers abused this by registering more than 100,000 fraudulent companies on the popular web mapping service between June 2014 and September 2015.

Essentially, the miscreants spam Google Maps with registrations for business locations so that they have a greater chance of popping up at the top of search results when someone tries to look up a plumber or locksmith, and so on. There’s no actual business at all the registered locations: it’s just a filthy trick to make sure you come top, or near the top, of the lists.

Ultimately, this steers web traffic and customers away from real companies. Over 40 per cent of the false Google Map addresses are for on-call contractors like plumbers, locksmiths or electricians. And victims are often quoted a low price over the phone, only to demand a higher fee when the crooked contractors show up.

It’s a new form of “black hat search optimization,” the research team wrote in a paper presented at the International Conference on the World Wide Web in Perth, Australia, earlier this month, and publicized on Tuesday.

Besides this, other trickery includes setting up false pins for real hotels or restaurants on Google Maps. Over 12 per cent of fake listings, we’re told, attempted to make money by creating websites that directed punters to the businesses’ real website, where customers can make reservations or book holidays. Cash can be pocketed by getting a commission for each reservation or referring traffic to the real websites.

It’s relatively simple to register a business on Google Maps. All that is needed is a Google account, an address and a phone number to get started. The second stage involves signing up for Google Maps. Google will then send a postcard with a verification code to the business’ address. Once the code is entered, the listing is approved and pops up in the app.

Around 85 per cent of these fake applications do not make it to the Google Map stage. But the rest get through, as they rent PO boxes under those specific addresses to nab their verification codes. Multiple sham businesses can be registered by using fake suite numbers for the same address. It takes an average of 8.6 days for false listings to be taken down after creation.

The majority of these counterfeit listings are in the United States (56.5 per cent), followed by India (17.5 per cent) and France (5 per cent). Further analysis shows most activity is concentrated in the most populous states: California, New York, Florida, Texas, Illinois and New Jersey.

Google is cracking down on abuse by detecting common discrepancies in deceptive listings that can be weeded out in the future by anti-spam algorithms. Only a limited number of verification postcards can be sent to the same address, and using non-existent suite numbers is no longer valid. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/19/scam_businesses_post_on_google_maps/

If your Hotpoint cooker or washer’s on the blink, don’t arrange a repair by visiting company’s site: Netcraft says the appliance vendor’s foisting nastyware onto visitors.

Netcraft says it’s found fake Java update dialogs on Hotpoint’s UK and Republic of Ireland sites. If you click “Install” you won’t be updating Java, you’ll be firing up an obfuscated JavaScript that Hotpoint did not place on its site. That script tries to hide the fact it refers to a third-party site that can send a custom payload your way.

That payload won’t do nice things to your endpoint and may expose you to attacks like drive-by malware or phishing.

Netcraft says the source of the problem is almost certainly Hotpoint’s WordPress installation, and notes that the content management system “is notorious for being compromised if both it and its plugins are not kept up to date.”

The site in question – hotpointservice.co.uk – is a fine target for crims because it’s suggested as the place to register new products. Netcraft worries that the attack’s done rather well because it landed in time before the Easter long weekend, meaning four sysadmin-free days of operation before IT staff came back to work and had the chance to fight back.

Hotpoint’s web site and social feeds are silent on the matter. The Register has asked Hotpoint if the attack was detected and defended and whether any customers or their data were compromised. When we hear back from the company we’ll update this story. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/19/hotpoint_hacked/

Podcast

Ed, Melissa and Amy are joined by Chris Wysopal, noted hacker and CTO/co-founder of Veracode on this week’s tech podcast. The crew talks about how hacking has evolved and the importance of secure software.

The details…

• (0:00) Out and about
• (2:40) Over Slacking
• (4:30) Wysopal: Raising awareness of insecure software
• (8:55) Hacking Windows
• (10:19) “Nice hackers” testifying to Congress
• (16:07) Taking down the internet in 30 minutes
• (19:02) Building a security company
• (26:21) Automating code review
• (30:59) Veracode just acquired by CA
• (41:16) Making secure software
• (46:50) NSA hacking tools in the wild
• (51:29) Burger King hijacks Google Assistant
• (53:23) Re-gifting Alexa

Listen with the Reg player below, or download here.

Speaking in Tech: Episode

Podcast Subscriber Links

Subscribe through iTunes

Subscribe through Google

Subscribe through Stitcher

Feed URL for other podcast tools – Juice, Zune, et cetera: http://nekkidtech.libsyn.com/rss

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/19/speaking_in_tech_episode_257/

Oracle today emitted a huge batch of 299 security fixes for its software – including a patch for a vulnerability exploited by a leaked NSA tool that can hijack Solaris systems.

Details of the massive April dump can be found here: Oracle describes the updates as “critical,” and urges admins to install them “without delay.”

Among the trove is a patch for CVE-2017-3622, a local privilege escalation hole in the Common Desktop Environment on Solaris 10 that is exploited by the NSA’s now-public EXTREMEPARR tool to seize control of vulnerable machines. This flaw isn’t present in Solaris 11, according to Oracle. That leaves Solaris 7 to 9 potentially vulnerable on Sparc and x86; these operating systems are not supported by Oracle, so you’re on your own with those.

Another leaked NSA tool, EBBISLAND aka EBBSHAVE, attempts to exploit a kernel RPC vulnerability (CVE-2017-3623) in Solaris 6 to 10, on x86 and Sparc, to give the attacker a remote root shell. This flaw is not present on Solaris 11 nor on Solaris 10 with critical patches installed since January 21, 2012, nor systems running Solaris 10 Update 11. Again, that leaves older unsupported Solaris boxes on their own.

In other words, Oracle patched the remote root hole now dubbed CVE-2017-3623 back in January 2012 for Solaris 10, and Solaris 11 is not affected. Solaris 10 was always at risk of the local root hole CVE-2017-3622, and now a patch is available for that operating system, and Solaris 11 was never affected.

Earlier versions of Solaris are out of luck as they are unsupported: if you’re running older boxes or unpatched systems – and many organizations are for various reasons – you need to pay close attention to what’s happening here.

It took Oracle a week to clarify the above after earlier refusing to comment on whether or not its software was vulnerable to the NSA toolkit leaked by the Shadow Brokers this month. The radio silence was highly frustrating for some in the sysadmin community.

“Oracle encourages all customers to update their systems frequently and fixes are cumulative – this is why any of the Solaris 10 patch distributions released since January 26, 2012, includes the fix,” a spokesman told The Register, referring to the patch that kills off the EBBISLAND weapon.

Matthew Hickey, the Brit infosec expert who demonstrated EXTREMEPARR and EBBISLAND on vulnerable pre-Solaris 11 systems, told The Reg it looks as though Oracle has ironed out the vulnerabilities – at least for supported installations.

“There’s no data on the CDE local root,” he noted. “And it seems they got lucky patching the remote vulnerability out of the RPC code in 2012: it was a previously unknown bug as it has a new CVE.”

Besides the spyware drama, there are patches to be applied to Oracle’s Database, Fusion Middleware, PeopleSoft suite, Oracle Communications tools, Oracle Financial Services software, its retail applications, Java SE, Oracle Linux and MySQL, and more. Get updating ASAP, if you can. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/19/oracle_april_security_patches_nsa/

Your daily round-up of some of the other stories in the news

Killing prompts Facebook introspection

Facebook is reviewing its handling of content that violates its standards after a man used the platform to broadcast a murder on 16 April.

As a result of this terrible series of events, we are reviewing our reporting flows to be sure people can report videos and other material that violates our standards as easily and quickly as possible.

In addition to improving our reporting flows, we are constantly exploring ways that new technologies can help us make sure Facebook is a safe environment … We are also working on improving our review processes.

The killer uploaded three videos within the space of eleven minutes on Sunday. The first announced his intention to commit murder, the second showed the crime itself and the third was a confession.

According to Facebook’s timeline of events it was made aware of the first video within 18 minutes but almost an hour and 45 minutes elapsed before users began reporting the murder itself. The company disabled the suspect’s account 23 minutes later.

Earlier today Pennsylvania State Police announced that the man suspected of killing Robert Godwin as he walked home on Sunday afternoon had taken his own life.

Magento Remote Code Execution Vulnerability

A remote code execution vulnerability has been found in version 2 of Magento’s popular ecommerce software. The bug requires admin access so although it’s serious it will likely be hard to exploit.

In a security announcement sent on 14 April the Magento Security Team advised that the vulnerability will likely not be fixed until early May. Until then users are encouraged to enforce the use of the software’s “Add Secret Key to URLs” feature.

The following steps will enable the feature:

1. Logon to Merchant Site Admin URL (e.g., your domain.com/admin)
2. Click on Stores Configuration ADVANCED Admin Security Add Secret Key to URL
3. Select YES from the dropdown options
4. Click on Save Config

A full description of the flaw can be found in an advisory published on DefenseCode.

Robert Taylor dies

Internet pioneer Robert Taylor died at his home in Woodside, California on 13 April 2017.

Praised for his “visionary leadership” Taylor was an inductee of the Internet Hall of Fame, a recipient of the National Medal of Technology and a winner of the Draper Prize.

In 1966 he initiated the connection of ARPA-funded research centres into the ARPAnet, a network that would eventually evolve into the Internet.

At Xerox Corp he founded the iconic Palo Alto Research Center (PARC) where the blueprint for much of modern personal computing was established.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @MarkStockley

Image of Robert Taylor by Gardner Campbell licensed under CC BY-SA 2.0.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/G4t0XcPGWH4/

Civil and digital rights groups are leading a campaign to stop the US Department of Homeland Security’s demanding access to foreigners’ social media accounts when entering America.

In an open letter to DHS secretary John Kelly, the group argues that by forcing travelers from some countries to give border patrol agents free rein on their devices and social networks, the DHS is violating human rights and putting folks at risk of abuse.

“Please reject any proposal to require visa applicants, refugees, or other foreign visitors to provide passwords for online accounts, including social media, in order to enter the United States,” the letter asks of Kelly.

“Such a requirement would violate human rights, create digital security risks, and undermine US industry. It would chill the speech and behavior of people around the world.”

The profile-scanning practices were revealed to the public in early March, and caused an outcry from privacy advocates.

The groups signing on in support of the campaign include the ACLU, the Center for Media Justice, the Open Technology Institute and the Electronic Privacy Information Center (Epic.org). Members of the public are also being urged to participate.

“Login access to social media accounts provides intimate information on a person as well as their connections. If you use a social media account to log in to other websites, it may also create a detailed dossier that broadly maps your entire digital life,” the group wrote, inadvertently explaining exactly why the DHS would want the information.

The letter goes on to note a pair of caveats that the DHS has yet to explain its work-arounds for: the delete button and the burner phone.

“The requirement will disproportionately impact low-risk travelers, since terrorists and criminals will simply evade these requirements by using different accounts and devices,” they note. “US citizens will also feel the impact, as other countries will almost certainly follow suit.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/18/homeland_security_screening/

How building cybersecurity structures that decrease adversaries’ dwell time can reduce the damage from a cyberattack.

Winter is coming in 2017 and, as in Westeros in the Game of Thrones, geopolitical tension continues to serve as the harbinger for destructive attacks. In the real world, we’re talking about cyberattacks, and the threats aren’t from dragons and Wights, but cyber campaigns like Pawnstorm against NATO over the security of the Baltics, the ISIS and AQAP quagmire in the Mideast, and, closer to home, increasingly disillusioned American voters turning toward organized hacktivism to unleash their fury and frustration.

Given these harsh realities, it’s imperative that we as an industry build up our cybersecurity architectures based on a deeper understanding of how attackers attack, and what they do once they are inside the castle walls. As the recent Verizon Data Breach Report noted, most breaches are not discovered for at least 100 days. This damning reality necessitates a paradigm shift. According to the same report, 81.9% of compromises are caused by breaches that took minutes to accomplish, while 67.8% of compromises took days to reach the exfiltration stage. The survey noted that it took months for a victim organization to respond to a cyber intrusion.

Given the fact that the cybercriminal has a footprint within a company network for an extended period, organizations must alter their security posture accordingly; the metric by which we should assess the potency of a cyber-countermeasure is how effectively it can decrease an adversary’s dwell time. Decreasing dwell time is the measurable metric by which we can value a return on investment for an enterprise. Diving down into what decreasing dwell time affords the enterprise requires an examination of what the costs are to the enterprise when exfiltration of their data occurs.

SuperMax Prisons Cybersecurity Architectures
In 1933, the United States Department of Justice opened Alcatraz Prison in San Francisco Bay. The purpose was to incarcerate a certain caliber of prisoner described as “desperate or irredeemable” in   response to the hardened organized criminals arrested by the FBI. In recent years, there was a recognition that the older architectures like Alcatraz were insufficient to house the contemporary criminal and terrorist. Thus, in 1994 the Federal Bureau of Prisons opened the Administrative Maximum Facility (ADX) in Florence, Colorado, housing the likes of Ted Kaczynski, Timothy McVeigh, and Robert Hanson.

These SuperMax “control-unit” prisons, or units within prisons, represent the most secure levels of custody. The objective is to provide long term, segregated housing for inmates classified as the highest security risks in the prison system. The facility was constructed to permanently keep criminal masterminds imprisoned. The prison as a whole contains a multitude of motion detectors and cameras, and more than a thousand remote-controlled steel doors. Pressure pads and 12-foot-tall (3.7 m) razor wire fences surround the perimeter. The early detection of lateral movement is paramount as the prisoners attempt to tunnel out.

An Alcatraz for your Network
The same construct should be applied to your hybrid network environment. The importance of early detection is that the more dwell time the adversary has in the environment, the longer it takes to detect and contain a data breach, the more costly it becomes to resolve, and the harder a brand’s reputation is hit.

To thwart a virtual jailbreak with your intellectual property and credentials that could cause irreparable damage to a brand, cybersecurity leaders must embrace the concept of “intrusion suppression” by altering their architecture to emulate the “SuperMax” prison. Intrusion suppression requires clandestine detection, deception, diversion and eventual containment of a cyber adversary. It involves four steps that aim to detect cybercriminals by decreasing their dwell time and lateral movements:

Step 1:  Deploy a deception grid to enhance situational awareness per the latest techniques to deceive and divert the adversary unbeknownst to them.

Step 2:  Deploy user entity behavior analytics, which provides contextual analysis on the activity and lateral movement of the adversary.

Step 3: Deploy adaptive authentication with contextual verification to hunt the adversary in the wild.

Step 4.  Embrace memory augmentation to remove all hiding places to find the adversary more quickly.

These investments are fundamental to turn the tables on the cybercriminal of 2017. Enterprises must consider investing in complementary technologies that specifically aim to diminish adversary dwell time through intrusion suppression. Not only will they help keep costs down in the event of a breach by stifling the adversary’s exfiltration of meaningful data, but they will also help protect the reputation of the enterprise that has been breached.

As a community of white hats, we must respect our adversaries and spin the chessboard. The proper strategy for your organization is to build a structure that inhibits the free movement of the adversary once they penetrate your system. We must transform our castles into prisons.  

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

• New Breed of DDoS Attack On the Rise
• Nation-State Hackers Go Open Source
• How Innovative Companies Lock Down Data

 

Tom is a cyber intelligence expert, author, professor, and leader in the field of cybersecurity.  Having held a seat on the Commission on Cyber Security for the 44th President of the United States and serving as an advisor to the International Cyber Security Protection … View Full Bio

Article source: http://www.darkreading.com/endpoint/intrusion-suppression-transforming-castles-into-prisons/a/d-id/1328665?_mc=RSS_DR_EDT

Even the largest corporations aren’t immune to the cybersecurity skills gap – an inside look at how they are coping and adjusting.

You might think the largest US corporations have the least trouble attracting new cybersecurity talent, but that’s not necessarily the case. Many millennials are more interested in start-ups and new companies rather than the traditional Fortune 100/1000, which they may not think are as tech-savvy or as bleeding edge as a new firm.

Security executives from three tech-savvy major corporations – Coca-Cola, Ford Motor Co., and Microsoft – next month at Interop ITX in Las Vegas, will share their firsthand experience and insight on how they are managing and coping with the cybersecurity skills shortage. Like small- and midsized businesses, these major corporations also find themselves doing more with less at a time when the job openings exponentially outnumber the candidates in the talent pool. 

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Katherine Fithen, chief privacy officer and director of Global IT Governance Compliance for The Coca-Cola Company; Rob Duhart, Ford Motor Company’s Big Data Analytics Security Lead, Data Supply Chain, EEIT; and Ann Johnson, vice president of the Enterprise Cybersecurity Group at Microsoft, will participate in a panel discussion called “Surviving The Security Skills Shortage” on Wed., May 17, 11:40am PT at Interop ITX.

The panel will discuss their recruiting efforts to attract new and young security talent, as well as how they retain those elusive top performers. Retraining their existing IT and security teams also is a big part of the strategy today, especially as skillsets must quickly evolve with rapid-fire technology and threat changes. The security execs also will give advice on what works and what doesn’t, as well as what they consider the hottest and most in-demand security skills today.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/careers-and-people/how-top-security-execs-are-doing-more-with-less-/a/d-id/1328668?_mc=RSS_DR_EDT

Boards often want a lot more business-relevant reporting than CISOs provide, Focal Point Data Risk study shows.

For all the talk about cybersecurity needing to be a board-level issue, security executives and corporate directors continue to have very different views on just about every critical aspect of the security function.

Research released this week by Focal Point Data Risk shows that CISOs and board members often have different perspectives on the value of cybersecurity, on how to assess the effectiveness of security programs, and how to measure and express risk.

While C-suite members for example often viewed data and brand protection as the primary value of cybersecurity to the organization, CISOs somewhat surprisingly viewed their primary functions as guiding and enabling the business and in ensuring loss avoidance.

For the report, Focal Point conducted one-on-one interviews with more than 50 CISOs, 25 corporate directors and 10 subject matter experts. The goal was to try and identify how corporate directors and CISOs viewed each other’s roles and responsibilities on the cybersecurity front. Interview questions were open-ended and were conducted by Cyentia Institute, which also wrote the report.

One of the key discoveries was that CISOs—at least those interviewed for the report—generally tended to view the security function as having less to do with data and brand protection than board members.

A lot of that, according to the report, may simply have to do with CISOs trying to position cybersecurity as a business enabler rather than a cost center in meetings with board members. While security executives know that protecting data is one of their primary functions, many feel pressured to demonstrate how that helps the bottom line, the report noted.

Board members and CISOs also had substantially divergent views on the effectiveness of their organization’s security program. While 46% of security executives in the Focal Point study expressed confidence in their security controls, only 5% of board members shared that sentiment. Conversely, 49% of board members expressed a lack of confidence in their organizational security controls compared to 13% of security executives who felt the same way.

“CISOs have a challenging time proving a negative, that if they didn’t exist [it] would result in a material weakness and bad outcome,” says Yong-Gon Chon, CEO of Focal Point Data Risk. The board’s lack of confidence also stems from the continuing habit by security executives to present cyber jargon to board instead of business language, Yong-Gon Chon said. Meetings with security executives often leave board members with the impression that no matter how much they spend, they will still get breached.

Similarly, the metrics that CISOs use to convey the status of the organization’s security program to the board tend to be more operational in nature while board members are far more interested in big picture metrics such as peer benchmarking.

One surprising finding from the report is the relatively low desire among board members to see risk expressed in terms of financial losses over a specific time frame.

“I hear it said a lot that the ‘language of the board is dollars,’ and assumed that meant they’d want to hear cyber risk discussed in those same terms,” says Wade Baker, co-founder of Cyentia Institute. “But I think there’s a lot of skepticism on the ability to accurately measure cyber risk, and so they prefer a clear explanation of where things stand.”

John Pescatore, director of emerging security trends at the SANS Institute says much of the disconnect stems from a failure by CISOs to communicate. “CISOs [are] very good at presenting ‘blood in the streets’ and very bad at presenting strategy on how to avoid it,” Pescatore says. Many are weak at using trend data to give the board confidence that the business could avoid or minimize the risks facing them.

CISOs have to learn to show the connection between security expenditures and business impact. “That doesn’t always mean ROI, but it does mean more than ‘bad things are happening. If we don’t get more people or spend more money, it will happen to us,’” he said.

Framing things in terms of risk and business enablement can help enable a better conversation with the board, adds Christopher Pierson, general counsel and chief security officer at online payment service Viewpost.

“Showing the board a bunch of flowcharts, diagrams, and numbers on how much malware was blocked does not answer or address their fundamental question,” Pierson says. What the board wants to know is how the security organization is mitigating risk and what its directors can do to help.

“A [board member] favors metrics combined with an intuitive story. But it has to be a narrative they can understand,” says Daniel Kennedy, an analyst with 452 Research. “The somewhat difficult, technical problem of security needs to be described in layman terms that go just deep enough for very intelligent people, who happen not to be security experts [to understand],” Kennedy says.

Related stories:

• Improving the Security Savvy of Execs the Board Room
• Improving The Security Conversation For CIOs, CISOs, Board Members
• Cyber Risk Among Top Concerns For Business Leaders: Study

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/operations/cisos-board-members-have-widely-divergent-views-on-cybersecurity/d/d-id/1328674?_mc=RSS_DR_EDT