Treasure Trove of Credentials Exposed

There are 773 million email addresses and 21 million passwords in a list circulating in the hacker community that is a compilation of many smaller lists taken from past breaches and has been in wide circulation. Some lists date back to 2015. Despite its recycling of previously breached credentials, the widely available list no doubt makes it easier than ever for even unskilled hackers to capitalize on the bevy of breaches that have occurred over the past decade. My personal advice for your accounts: 1) It’s important to change your passwords regularly, and to use different passwords for each service/site you frequent. That is almost impossible to manage. But, you can sign-up for a password manager (more on that below) 2) Enable two factor authentication for your password vault 3) Set a reminder each day to change AT LEAST ONE of your passwords to a string of 20+ random characters 4) Start enabling two factor authentication on sites that support it (email, online banking, social media) If you do this, you'll negate the black market value of credential dumps like this one. Use a Password Manager; many have free versions. https://www.cnet.com/news/the-best-password-managers-directory/ Want to check if your email account was discovered in any data breaches? Go to HIBP (Have I Been Pwned): https://haveibeenpwned.com/ Want to check if your passwords have been previously exposed in data breaches? Pwned Passwords has 551,509,767 real world passwords. If your password shows up, change it IMMEDIATELY.

The Evolving role of the CISO

The CISO's role has been evolving over the years. It is moving away from so much emphasis on compliance and monitoring towards a more strategic role, particularly as CISOs get more and more access to the C-Suite. A key to success as a CISO is collaboration with and understanding the work of other business units. A large part of the job is not about technology at all. It is about relationships, project management, and learning about several parts of the business. It is a good CISO's job to adequately assess and point out the risks to the business of various projects and business practices. What are other key elements that are part of the strategy of a successful CISO? Have you initiated a balanced Security Awareness Program? Is security baked in to your company's SDLC? Are you regularly running scans of both your network and your applications? Are you monitoring your network to detect unusual activity? What about when that dreaded intrusion into your network occurs? Do you know what to do? What about third party risk? Do you have adequate InfoSec policies, standards, and procedures?

Mental illness, Homelessness, and our Security

You might ask: Why are so may people with Mental Illness out on the streets or homeless? President Reagan has most of the responsibility why so many people with mental illness are homeless. At least one third of those living on the streets and half of our jailed population suffer from mental illness, and should be in institutions specifically designed to help these individuals. During his presidency in 1980 (a sad time), Regan stopped funding federal community mental health centers, thus removing services for those people who suffered with mental illness. While he was the governor of California, he had done something just as cruel and he released over half of the mental hospital patients in the state. He even passed legislation wiping out a requirement for involuntary hospitalization for those with mental illness. As so often is the case, as the president goes, so goes the country. As a result, states followed suite, and started to open the gates of mental institutions throughout the country. Ironically, in 1981, President Reagan was shot by John Hinckley Jr., who had mental illness. Is there a connection with so many of the shooters out and about hurting and killing so many innocent people and President Reagan? I think so!

Watch out for Email Scams About the Olympics

There are reports that hackers are using a 2018 Winter Olympics Phishing Campaign that hides malicious attacks inside of an image! Why is this particularly dangerous? Not only does hiding the attack inside an image help it evade detection, but once it actually runs, it uses a technique that generally won't get picked up by traditional antivirus solutions. How is the Attack being Done? The attack is being delivered via phishing emails disguised as alerts from the country's National Counter-Terrorism Center, with malicious Word documents attached. Once opened, the Word doc encourages readers to enable content. DO NOT ENABLE CONTENT. The tricky aspect of this attack is that no download of the actual image is necessary: malicious code can be run from either downloaded images or images hosted on the web. That means an attacker doesn't necessarily need to download an image onto a machine in order to get the malicious code to run on that machine. What to do to protect yourself and your company • Do not to open email attachments from senders you don't know: You should be especially wary of Word documents that ask you to enable content/macros. • Do not click on any links in an email

Third Party Risk

A phone call or personal meeting are often crucial for success when dealing with third parties that have access to your critical or confidential data. East coast partners like morning meetings; I think they take great pleasure in doing this to us Californians to get back at us for the amazing weather we have. When we have business partners, we have to get assurance that they are practicing appropriate security and have a mature security program with good security controls. Make sure you have security standards to share with your partners, and ensure that they can follow them. These standards should cover contract language, their development environment, coding standards, ongoing assessments of their systems and processes, and much more. The last thing you want is for a breach of your data to occur and you had not done adequate assessments of your business partner.

How to secure budget for some key initiatives; a sales pitch to the C-Suite - Build a presentation on the increase in cyber risk to the company - Goal is to convince the C-Suite that ownership of risk needs to be at their level. You need to build a culture of security awareness throughout the organization The CISO must hone their skills as a salesperson or public relations master. Security must be sold as a crucial part of the business culture of the organization. Concise points with little to no technical information is crucial if you want to keep the level of attention of the key decision makers. Rehearse your sales pitch and keep it short. Graphs and charts with red/orange/green representing current status seem to be examples of good approaches. The absolute last thing you want to present is the number of attacks, or, for that matter, the number of anything! Talk risk, likelihood, and potential impact to the business. Speak in “businessese”.

What do you do if you suspect you have a phishing attack? What is your response plan? Does it include: Request forwarding, as an attachment, of the suspicious email? Analyzing the url links, headers, sender address, business need or applicability? Were there any attachments? If yes, filter through Virus Total or some other reliable online tool looking for reported vulnerabilities. If the attachment or url are malicious, check the logs for user activity and be sure to interview the user or users. Interviewing the user is important to ascertain if they either intentionally or inadvertently clicked on a link to a possible malicious site. But review the logs, as often users either don’t recall, or will not admit their behavior. Clearly some technical knowledge and skills are necessary to address this possible security incident. But there also is a project planning aspect to managing this. Having a good Incident response process has always been important, but with the proliferation of phishing attacks on all businesses and organizations, never more so than today. This must be one of your highest priorities. Mock drills are an essential part of this process. Just like testing backups, testing your IR plan is crucial. You have to know if you have been breached.

Synergy Between the CISO and Application Development

CISOs must work collaboratively with the heads of Application Development to ensure a Secure Development Life Cycle process is being implemented and followed. Developers must be following our secure coding standards. Are secure ESAPI libraries being used? ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. An effective CISO must have some knowledge of Application Security best practices. OWASP, the Open Web Application Security project is a great resource for this. It is a not-for-profit international organization of volunteers who are passionate about secure coding and development. Most CISOs I have known, other then the few who came up as developers, are admittedly weak in this area, and will often rely heavily on the myriad of tools and projects from OWASP. The most recognized is the OWASP Top 10, a broad consensus about what the most critical web application security flaws are. Part of a good Application Development Security Strategy is having both static and dynamic application vulnerability scanning in place. These scanning tools cannot be run out of the box; they need configuration.