Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

#BSidesSF: How to Create a Security Program and Culture as the First Security Hire

#BSidesSF: How to Create a Security Program and Culture as the First Security Hire

At BSides San Francisco, Bryan Zimmer, head of security at Humu, delivered a talk on how to create a security program and develop a security-centric culture as the organization’s first security hire.

“So you’re the first security hire,” began Zimmer. “You’re going to need social skills.” Zimmer advised that being humble and building relationships with key stakeholders, department heads, and various teams around the organization is critical to getting ahead as a security leader. “It’s not just about tech and tools,” he said. “It’s about security culture.”

Zimmer suggested that being approachable and thankful and parking the jargon will all contribute to your success as a communicator. “Collaborate, don’t dictate,” he said. Additionally, social skills will get you executive buy-in early, which is very important in terms of securing budget and making a name for yourself. “Identify the major stakeholders and engage one on one with them.

“Ask for feedback, have empathy, and always send the elevator back down,” continued Zimmer, explaining it means “using your power to help others below you. Find and hire minorities, invite graduates to industry events, offer career advice.”

Strategy

Zimmer noted that one of the most important things to establish when starting out in the role is the organization’s priorities and strategy. “Find out what matters most to the business, determine what needs protecting and what it considers to be its crown jewels. Ask about budgets and time frames and goals. You need to establish if the company is just ticking a box or whether it deeply cares about security.” But, importantly, added Zimmer, “Protect customer data, because it’s the right thing to do.”

Next up, he advised, “find out what laws you have to comply with and establish policies and frameworks in line with these.” His advice is to “outsource as much of the compliance stuff as you can.”

The session was summarized with these visual notes, by Kingman Ink
The session was summarized with these visual notes, by Kingman Ink

Finding out what level of risk the business is comfortable with establishing should also be at the top of a security leader’s agenda, Zimmer said. “Find out where your data is and where it is going and turn on whitelisting from the beginning. Take an inventory of your applications and integrations and create a basic risk spreadsheet.” Further, he advised digesting and using threat report data.  

Simplify

Zimmer is a big proponent of simplification. That includes language. “Speak English, not techie,” he said. “Technical language alienates people, and they won’t want to talk to you again, so always tailor your level of techie to your audience. Be friendly, say hello to people, increase your visibility in the business, and collaborate with different departments.”

Zimmer believes it’s a security leader’s job to set the culture, not just the technology. “Set principles of transparency and tell people what you’re doing, assure them and build a rapport with staff.” Giving employees tools and the education to use them makes staff self-reliant, he said, which is good because “you can’t possibly be involved in every single security decision.”

People hate hearing no, said Zimmer, so “don’t hold up business unless it’s critical. Always assume good intent, people are just trying to get their job done, and that will make you wanted, not feared.”

Create a positive security culture by avoiding complex policies and procedures, he advised. Security training too, he added, should not be complicated. “Don’t over-communicate, because people will ignore it after a while.” Zimmer shared examples of awareness campaigns he used in his last role at Netflix, using humor and cute animal photos to attract attention. “The head of legal loved the hedgehog poster,” he recalled. “Security is a dry topic, so be creative and make it fun.”

Finally, he gave a nod to physical security. “Who else will do it?” he said, suggesting this may fall into the security leader’s remit for the first year or two. “Consider authentication, access control, and monitoring,” he concluded.

Source: Information Security Magazine

#BSidesSF: How to Create a Security Program and Culture as the First Security Hire

#BSidesSF: How to Create a Security Program and Culture as the First Security Hire

At BSides San Francisco, Bryan Zimmer, head of security at Humu, delivered a talk on how to create a security program and develop a security-centric culture as the organization’s first security hire.

“So you’re the first security hire,” began Zimmer. “You’re going to need social skills.” Zimmer advised that being humble and building relationships with key stakeholders, department heads, and various teams around the organization is critical to getting ahead as a security leader. “It’s not just about tech and tools,” he said. “It’s about security culture.”

Zimmer suggested that being approachable and thankful and parking the jargon will all contribute to your success as a communicator. “Collaborate, don’t dictate,” he said. Additionally, social skills will get you executive buy-in early, which is very important in terms of securing budget and making a name for yourself. “Identify the major stakeholders and engage one on one with them.

“Ask for feedback, have empathy, and always send the elevator back down,” continued Zimmer, explaining it means “using your power to help others below you. Find and hire minorities, invite graduates to industry events, offer career advice.”

Strategy

Zimmer noted that one of the most important things to establish when starting out in the role is the organization’s priorities and strategy. “Find out what matters most to the business, determine what needs protecting and what it considers to be its crown jewels. Ask about budgets and time frames and goals. You need to establish if the company is just ticking a box or whether it deeply cares about security.” But, importantly, added Zimmer, “Protect customer data, because it’s the right thing to do.”

Next up, he advised, “find out what laws you have to comply with and establish policies and frameworks in line with these.” His advice is to “outsource as much of the compliance stuff as you can.”

The session was summarized with these visual notes, by Kingman Ink
The session was summarized with these visual notes, by Kingman Ink

Finding out what level of risk the business is comfortable with establishing should also be at the top of a security leader’s agenda, Zimmer said. “Find out where your data is and where it is going and turn on whitelisting from the beginning. Take an inventory of your applications and integrations and create a basic risk spreadsheet.” Further, he advised digesting and using threat report data.  

Simplify

Zimmer is a big proponent of simplification. That includes language. “Speak English, not techie,” he said. “Technical language alienates people, and they won’t want to talk to you again, so always tailor your level of techie to your audience. Be friendly, say hello to people, increase your visibility in the business, and collaborate with different departments.”

Zimmer believes it’s a security leader’s job to set the culture, not just the technology. “Set principles of transparency and tell people what you’re doing, assure them and build a rapport with staff.” Giving employees tools and the education to use them makes staff self-reliant, he said, which is good because “you can’t possibly be involved in every single security decision.”

People hate hearing no, said Zimmer, so “don’t hold up business unless it’s critical. Always assume good intent, people are just trying to get their job done, and that will make you wanted, not feared.”

Create a positive security culture by avoiding complex policies and procedures, he advised. Security training too, he added, should not be complicated. “Don’t over-communicate, because people will ignore it after a while.” Zimmer shared examples of awareness campaigns he used in his last role at Netflix, using humor and cute animal photos to attract attention. “The head of legal loved the hedgehog poster,” he recalled. “Security is a dry topic, so be creative and make it fun.”

Finally, he gave a nod to physical security. “Who else will do it?” he said, suggesting this may fall into the security leader’s remit for the first year or two. “Consider authentication, access control, and monitoring,” he concluded.

Source: Information Security Magazine

#BsidesSF: Keynote: Slack CISO Reflects on a Decade of Mayhem and Gives Checklist Advice in Its Wake

#BsidesSF: Keynote: Slack CISO Reflects on a Decade of Mayhem and Gives Checklist Advice in Its Wake

At BSides San Francisco, Larkin Ryder, the interim CISO at Slack, delivered a keynote based on a decade of retrospection, reflection, and prediction. 

Ryder broke down her observations on the past ten years of cybersecurity into the following notable categories: malware, data breaches, vulnerabilities, and privacy. “Over the past decade, malware went critical,” she observed, calling out Stuxnet, WannaCry, and NotPetya as the most notable.

Her journey of reflection then moved on to data breaches, of which she called Yahoo! “one of my favorite breaches” due to the story of prosecution and conviction. She then referenced the Adult Friend Finder and Ashley Madison breaches as breaches with a different motive. “These breaches were about hackers making a moral judgement, and [the abstraction of] a different type of very personal information,” she noted. “Then there was Target,” which brought to light vendor risk management and made it a critical issue. “We need to establish trust with all our vendors because vendor risk management is so much more critical now than it was in 2010.”

The last decade, said Ryder, saw “vulnerabilities earning names.” The most notorious of those names were Heartbleed (2014), Meltdown and Spectre (2018), and EternalBlue (2017).

Impact

Taking the decade of malware, data breaches, and vulnerabilities into account, Ryder considered the impact it has had and what has changed as a result. Interest and awareness about cybersecurity is perhaps the biggest consequence, she said. In the Global Risks Report 2020, cybersecurity featured twice in the list of top 10 global risks: Cyberattacks on infrastructure came in at number five, and cyber-attacks involving theft of money or data came in at number eight.

In the "Global Risks Report 2020," cybersecurity featured twice in the list of top 10 global risks

The past decade has also witnessed evolution in the way that information security professionals do their jobs, with cloud, privacy, and the proliferation of mobile devices responsible for the biggest changes.

On the topic of privacy, Ryder cited privacy regulation as one of the “good things to happen in the past decade.” Privacy regulation, she said, referencing GDPR and the CCPA, has been “both significant and positive.”

“I don’t make predictions, but if I did, these are the trends I would expect to see next,” said Ryder, somewhat ironically. “The Internet of Things will go viral, malware will learn by machine, and SCADA will come crashing down,” she predicted.

Checklists and Advice

Ryder compiled a list that she referred to as a “Checklist of the impossible.” It includes advice that she considers sensible, yet admits that she knows is near to impossible to follow:

  • Stay patched.
  • Don’t click on (suspicious) links.
  • Never open untrusted email attachments.
  • Do not download from untrusted websites.

The following checklist items, she said, are “less impossible” to follow:

  • Avoid inserting unknown USBs.
  • Use VPN over public Wi-fi.
  • Back up your data.

In light of how difficult this checklist might be, Ryder has formed another list of advice, which she considers “simplified advice that is essential for all new users that you are on-boarding”:

  • If you see something, say something (trust your instincts and report anything that seems worrying or out of the ordinary).
  • Use what I gave you (don’t sign up for or download anything unauthorized).
  • Customer data is off limits.
  • If you don’t understand why I’m creating this friction for you, ask me (I can rationalize or explain why certain rules are in place).

Ryder referred to the “infinite bag of risk” that she and her peers face. It can feel overwhelming, and it can seem insurmountable, but “the key is not to try and boil the ocean,” she advised. “You have to start somewhere, so work out what normal looks like and bring in a red team to test your security,” she advised.

“Recognize the burden that you are facing and bound your efforts,” and finally, she concluded, “lean on our community to share concerns, worries, and advice at events like these.”

Source: Information Security Magazine

#RSAC: Realize the Harms and Benefits of Technology and Create Policies to Enable the Public

#RSAC: Realize the Harms and Benefits of Technology and Create Policies to Enable the Public

Speaking at the Cloud Security Alliance (CSA) summit at the RSA Conference in San Francisco, Alex Stamos, adjunct professor at Stanford University's Freeman-Spogli Institute, said that issues and decisions made by technology companies have angered people.

Stamos, who previously served as CISO of both Facebook and Yahoo, said that once he stepped out of those roles and “out of constant emergencies” he could see the bigger picture.

He said that “tradeoffs from a policy perspective are poorly understood by the public and usually go back to the engineering adage of do you want it done correctly, cheaply, or quickly—pick 1 of 3.” Stamos said that this is a basic problem of society, as people say that they don’t want companies looking at their data, but to stop bad things happening you need to see bad things. “Politicians say companies have to find the bad guys, but you cannot have two things.”

Another issue Stamos highlighted is the balance that technology companies have for “solving societal ills,” as he pointed out that technology companies provide platforms while “every bad thing [that] happened [was] done by people.”

He said that companies have to “embrace transparency and make decisions in a transparent manner.” However, the line has to be drawn around bullying and harassment, as “nothing has changed since the last election.”

Stamos said that Google, Facebook, and Twitter came up with policies on political advertising “in closed rooms with no transparency,” and these will be the rules that the 2020 election will be fought on.

He recommended that the tech industry adopt a regulatory framework similar to what Germany did regarding what speech is allowed online, but should consider how this can be adopted by countries with reduced democratic freedoms. “Or you end up with tech companies who are happy if they get regulated if they can make money, as most people who use the internet don’t live in democracies, or if they do, it is with reduced free speech.”

Stamos concluded by saying that we “have to realize that technology has made changes in good and bad ways” and take responsibility for that.

Source: Information Security Magazine

#RSAC: Make Security a Business and a Technical Issue

#RSAC: Make Security a Business and a Technical Issue

Security is both a business and a technical issue, especially as businesses become more digital and have technical controls embedded into software.

Speaking at the Cloud Security Alliance (CSA) summit at the RSA Conference in San Francisco, Phil Venables, board director and a senior advisor for risk and cybersecurity at Goldman Sachs Bank, said that to treat cybersecurity as just a business issue is important, but “to say it is not also a technology issue is a disservice” to those digital businesses.

Venables said there are three ways that cyber can be a business risk:

Enterprise Integration — Make this part of the fabric of business decision making.

  • Embed risk considerations into the enterprise governance apparatus.
  • Conduct risk assessments and establish a risk appetite.
  • Relentlessly integrate risk considerations into all business processes: strategic, capital, people, product.

Technology Integration — Make this a core part of how technology is built and operated, and secure products, not just security products.

  • Recognize that basic and relentless controls, hygiene/operational discipline are essential.
  • Embed automation/iterative improvement into the heart of tech delivery. Continuously monitor control effectiveness, presence, and operation.
  • Strive for ambient controls—in preference to expecting employees/customers to be a significant line of defense

Venables recommended embedding security into your processes, using standards like those created by the CSA, and creating an environment of products that “are not jammed in after the fact.” He said: “Think about embedding control across the life cycle.”

Resilience and Recovery — Plan for failure and constantly exercise and drill.

  • Detect early, respond decisively, formalize accountability, and test constantly.
  • Limit the blast radius of potential events through business and technology process adjustment.
  • Integrate cybersecurity incident response with operational resilience.

Venables said there should be a consideration of how to maximize your response efforts. “Treating security as a first-class risk is about doing the simple things that have to be exercised relentlessly over many years,” he said, saying that security is “not a project that finishes anytime soon” but is a perpetual part of the business DNA.

Looking forward, Venables said there are five areas of focus:

  1. Software security and reliability
  2. Usable security and ambient control
  3. Continuous assurance—continuous monitoring—provable security
  4. Operational resilience
  5. Adjacent benefits

He concluded by saying that as many organizations and customers become accidental software developers, we “need to make sure security is baked in.” He said that as users are enabled with tools and controls to increase software reliability, the user experience has to be considered, as it is a part of the supply chain.

Source: Information Security Magazine

Case Dropped Against Coalfire Pen Testers Accused of Burglary

Case Dropped Against Coalfire Pen Testers Accused of Burglary

Two employees of cybersecurity firm Coalfire who were arrested for an alleged burglary of an Iowa courthouse have had all charges against them dismissed. 

Gary Edward Demercurio, of Seattle, Wash., and Justin Lawson Wynn, of Naples, Fla., were arrested in September 2019 after being found inside the Dallas County Courthouse in possession of burglary tools. 

The two Colorado company employees were mistaken for criminals while conducting what a Coalfire spokesperson described as "a standard penetration test to protect Iowa citizens" for their client, the State of Iowa, on September 11.

Demercurio and Wynn, who were 43 and 29, respectively, at the time of the arrest, were both charged with felony burglary and the possession of burglary tools, which could have seen them jailed for a total of seven years each. 

Following discussions between representatives of Coalfire, the Dallas County Sheriff, and the Dallas County Attorney, the Dallas County Attorney decided to dismiss trespass charges against the duo.

Senior security consultant Wynn said: "It was a red team engagement with physical penetration included as part of it. It wasn't the first physical breach that we did during that assessment. There were multiple facilities that we had already assessed, and it was the last one that we were coming around to. 

"They specifically requested that they wanted 'after hours' testing at these locations. The client said they wanted to see how their facilities could be breached and what the security vulnerabilities are that we're working with."

Demercurio said: "The original arrest was supposed to be for trespassing but that changed to felony burglary. From that point, we were arrested and taken to jail. We were there for about 24 hours."

Wynn said that bail was set at $50,000 each for both him and Demercurio after the local prosecutor deemed them "a flight risk." The standard rate at which bail is set in Iowa is $5,000 per person. 

Coalfire CEO Tom McAndrew said: "We are pleased that all charges are dropped in the Iowa incident. With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement.

"We’re grateful to the global security community for their support throughout this experience."

Source: Information Security Magazine

FBI Arrests Man on Political Cyber-attack Charges

FBI Arrests Man on Political Cyber-attack Charges

America's Federal Bureau of Investigation has arrested a man on suspicion of cyber-attacking the political rival of a former US congresswoman.

Arthur Jan Dam was arrested by the FBI on Friday. The 32-year-old is accused of masterminding a series of DDoS (distributed denial-of-service) attacks that targeted an opponent of former congresswoman Katie Hill.

Dam is suspected of causing four DDoS attacks to hit the websites of Hill's rival in April and May of 2018. As a result of the attacks, the victim's website was down for approximately 21 hours, causing financial losses of $5,000. 

The victim believes that the attacks were partly to blame for a political loss sustained in the June 2018 Democratic primary for California’s 25th congressional district.

According to the complaint, "The victim reported suffering losses, including website downtime, a reduction in campaign donations, and time spent by campaign staff and others conducting critical incident response."

An investigation by the FBI found that the cyber-attacks originated from a single Amazon Web Services (AWS) account controlled by Dam, whose wife, Kelsey O'Hara, worked for one of Hill's rivals. Geolocation revealed that the attacks were launched from Dam's residence and also from his workplace.

The complaint states: "Dam was found to be connected to the cyber-attacks through subscriber information, IP addresses, geolocation history, and open sources, including through his employer and his wife, K.O., who worked for one of the victim's opponents."

According to Intercept, Dam provided $500 of free cybersecurity consulting services and graphic design to Hill's campaign in 2018; however, no evidence was found by the FBI that linked Hill personally to the cyber-attacks. 

The websites of Jess Phoenix and Bryan Cafario—two of Hill's Democratic party opponents—were struck with cyber-attacks in 2018, one of which was timed to coincide with a pivotal debate on April 28. Over the same period, no attacks against Hill's website were reported.

In a statement released on Friday, Paul Delacourt, assistant director of the FBI’s Los Angeles Field Office, said: "Today’s arrest shows the FBI’s commitment to hold accountable anyone who interferes with an American’s right to vote or who deprives a candidate the right to compete fairly in an election."

Source: Information Security Magazine

UW Medicine Facing Breach Lawsuit

UW Medicine Facing Breach Lawsuit

The University of Washington School of Medicine is facing a class-action lawsuit over a data breach that impacted 974,000 patients. 

Plaintiffs claim UW Medicine failed to "properly secure and safeguard" patients' personal health information (PHI), resulting in the exposure of data that included patient names, medical record numbers, and other healthcare data.

Earlier this month, UW Medicine reported that a misconfigured server had resulted in patient data's being exposed online for a three-week period. The breach was identified when a patient came across a file containing their own PHI data during a routine Google search and reported it to UW Medicine.  

After an internal investigation into the incident, UW Medicine found that an employee error had left a database containing patient data exposed from December 4 to December 6, 2018. 

"Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results," officials said at the time. "All saved files were completely removed from Google’s servers by January 10, 2019."

UW Medicine said that the compromised data did not include financial information or Social Security numbers. Data that was exposed included details regarding what tests patients had undergone. 

Judging from the wording of the complaint filed in King County Superior Court, the plaintiffs aren't certain exactly what information was exposed in the breach. Among other things, the plaintiffs are seeking an order that will require UW Medicine to "fully and accurately disclose the precise nature of data that has been compromised." 

Plaintiffs also want UW Medicine "to adopt reasonably sufficient security practices and safeguards" to prevent any further breaches from occurring in the future. 

In 2015, UW Medicine agreed to take corrective action and pay the Department of Health and Human Services $750,000 following a 2013 breach, which exposed 90,000 patient records. The healthcare provider said the incident was the result of a malware infection. 

An audit of UW Medicine conducted at the time by the Office of Civil Rights found that the healthcare provider did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

Source: Information Security Magazine

Tech Industry is the Least Secure Industry, Say Hackers

Tech Industry is the Least Secure Industry, Say Hackers

New research from HackerOne has revealed that hackers believe the technology industry is the least secure industry.

The pen test and bug bounty platform collected data from over 3150 individuals who have successfully reported one or more valid security vulnerability on HackerOne, compiling it’s findings into the The 2020 Hacker Report. Of those polled, 18% said that the technology industry has the furthest to go to improve its cybersecurity, followed by government (16%) and finance (14%).

Interestingly, and despite the UK ICO recently publishing its intentions to hand out huge GDPR fines to high profile organizations within the travel and hospitality sector following data breaches, the research found that only 1% of hackers think the travel and hospitality industry has the most to do to improve its data security posture.

HackerOne also revealed that ethical hackers are increasingly treating hacking for good as a career option. According to the report, more than 50 hackers earned over $100,000 (£77,000) in 2019 from bug bounties, whilst the hacker community has doubled in size in the last year to more than 600,000 – representing 850 hackers registering every day in 2019.

“Hackers represent a global force for good, coming together to help address the growing security needs of our increasingly interconnected society,” said HackerOne CEO Marten Mickos. “The community welcomes all who enjoy the intellectual challenge to creatively overcome limitations. Their reasons for hacking may vary, but the results are consistently impressing the growing ranks of organizations embracing hackers through crowdsourced security — leaving us all a lot safer than before.”

Source: Information Security Magazine

Google Pulls 600 Apps from Play Store

Google Pulls 600 Apps from Play Store

Google has removed almost 600 Android apps from its Play Store for violating its policy on disruptive advertising.

The tech giant has not only removed the titles from the Android marketplace but also banned them from Google AdMob and Ad Manager, meaning their developers will not be able to monetize them on its platforms.

The disruptive ad practices highlighted by Google included “out of context” advertising, which pops up when the user isn’t even logged into a specific app.

“This is an invasive maneuver that results in poor user experiences that often disrupt key device functions and this approach can lead to unintentional ad clicks that waste advertiser spend,” argued Per Bjorke, senior product manager for Ad Traffic Quality.

“For example, imagine being unexpectedly served a full-screen ad when you attempt to make a phone call, unlock your phone, or while using your favorite map app’s turn-by-turn navigation.”

Bjorke explained that Google had developed machine learning functionality to help detect such “out of context” ads, which led to this enforcement action.

“Mobile ad fraud is an industry-wide challenge that can appear in many different forms with a variety of methods, and it has the potential to harm users, advertisers and publishers,” he added.

Google is also getting better at finding and removing apps on its Play Store that contain malware. Last year, it claimed to have increased rejected app submissions by over 55% and app suspensions by more than 66% in 2018.

That doesn’t stop the black hats trying, however: malicious apps still make their way onto the platform and sometimes are downloaded millions of times before being blocked.

In June last year, adware was found in 238 apps on the Play Store, installed by an estimated 440 million Android users.

However, downloading apps from the official marketplace is still the recommended option: last year, Android malware dubbed “Agent Smith” was downloaded over 25 million times from a popular third-party store.

Source: Information Security Magazine