Progressive infosecurity executives take advantage of social media to share expert opinions, get the latest industry news, and exchange thoughts with their peers. Twitter, in particular, offers a wealth of informative feeds and real-time conversations about security. By popular demand, we’re expanding our CIO Corner blog series to security professionals. The new CISO Beat will showcase a few of our favorite tweets from the top CISO types on Twitter. This is your guide to today’s social CISO conversation.
The security community flocked to Twitter to discuss the latest vulnerability, FREAK. Ferdinand Kobelt, CISO at the Swiss Department of Defense, posted an article outlining the threat from FREAK to Windows PC users. While most of the buzz around FREAK focused on the risk from visiting vulnerable websites, we found that 766 cloud service providers were vulnerable a full 24 hours after it was first announced.
Another must-read (and hilarious) security scare story came from former US Department of Defense CISO Nikk Gilbert. In this case, CSO writer Steve Ragan was telephoned by an attacker purporting to be a Microsoft support agent. Ragan recorded the call, and you can listen to the full recording up until he notifies the scammer that he is a security researcher and will write about the attempted hack. This is a great read – first, for the educational value of following along with an attacker’s process, and second, for the satisfaction of witnessing a scammer caught red-handed.
Changes in the way employees work, especially the consumerization of IT and BYOX trends, have made a hermetically sealed corporate environment impossible. As a result, the enterprise perimeter has evolved to include cloud services and mobile devices. Financial services company CRH’s CISO Jared Carstensen shared an article arguing that “resiliency” is increasingly important as the concept of an impregnable defense is no longer feasible.
Further to this point, security teams will want to have a strategy on hand to ensure a system breach doesn’t turn into a headline-worthy affair. Farhaad Nero, VP of Information Security at Bank of Tokyo Mitsubishi, shared six steps for surviving your first data breach. A shared theme among many of the worst hacks in the past year was a lack of preparedness and disciplined response. Security teams would be negligent not to practice their breach response protocol to prepare for the big day we hope never arrives.
On the prescriptive thread, Comcast CISO Myrna Soto provides some key advice for teams working on their security awareness programs. User error or negligence has come into the spotlight as a top vector of vulnerability. In fact, at the average company 12% of users are affected by stolen credentials. This article offers detailed best practices on communicating security threats to employees. Most importantly, the advice is endorsed by a top InfoSec professional: Soto says she intends to incorporate all of the recommended features into her own organization’s program.