CISO do’s and don’ts: Lessons learned

Keeping a business safe from cyber threats while allowing it to thrive is every CISO’s goal.

The task is not easy: a CISO has to keep many balls in the air while being buffeted by an increasingly complex and always shifting threat landscape. Consequently, the importance of a good CISO should not be underestimated.

CISO lessons learned

Mistakes to avoid, practices to implement

Francesco Cipollone, CISO and director at UK-based cybersecurity consultancy NSC42, says that he has seen his fair share of CISOs who believe they know it all, who focus on only one specific aspect of cybersecurity, who keep the security team segregated from the engineering team and the rest of the organization, and who don’t empathize with the business side.

No CISO is infallible, he says – the important thing is to fail fast and to recover even faster.

Also, the CISO and the security team need to understand that the organization is there to deliver products and services as fast as possible, and they must find a way to make their work easier while, at the same time, keeping the business safe.

The goal to shoot for is a happy medium between a secure product and acceptable time frames. Also: bring the Sec into DevOps by introducing pragmatic security as soon as possible in the lifecycle of an application.

Nobody likes to be told “No”

“As a security professional, I learned quickly to stop saying ‘No’ and started replying with options. That is if one of my key advice to CISOs,” Cipollone advises.

At the same time, a CISO should find a way to not get frustrated if the board of directors keeps saying “No”.

“As security professionals we are tasked to ensure the company is protected to the best of our ability. If those abilities are undermined or limited, we need to communicate this sufficiently well to the board so that they are aware of the risks they are taking by saying ‘no’ to some things. Ultimately, they are accountable to the shareholders for the performance and security of an organization,” he explains.

Finding a way to get your security message across to the board and the business’s leaders is a must: the message must be clear, it must appeal to their emotions, and must clearly quantify each security risk.

“The best way I’ve managed to make the case for specific security improvements has been to relate them to financial loss. The simple formula is: how many applications could an attack potentially take down? Estimate a likely time span. How much does an application generate? And then present to the board how much you can save, in terms of hours lost and money, by displaying how much a security control would protect the total value of the application,” he explains.

“In order to calculate the total monetary loss for a day, aggregate the loss factor of each application. This leads the board to consider business risk (money) against security risk (also money), and effectively allows them to compare apples to apples.”

But sometimes logic and numbers are not the best strategy to the board’s heart.

“Sometimes security professionals need to be clever and play with the board’s emotions by using the media. If a CISO is struggling to get funding for a specific improvement, they should consider using the industry/global news stream and identify key news that could help them make the case. The communication team and marketing team are, generally speaking, their best friend and allies in this,” he says.

CISOs should also use business storytelling and analogies when making the case for a specific control or security improvement program. An expert communication team can help proofread the pitch and simplify the case they are trying to make.

They should always be prepared with information about the cost and the latest statistics. “Data is king. Hard facts are difficult to argue with, while opinions are always personal, and hence, debatable,” he points out.

He’s also not adverse to advising CISOs to quit if they can’t find a common language with the board and key stakeholders. A constantly failing collaboration is not good for the company nor for the appointed CISO.

Leadership lessons

As noted before, business empathy and strong communication skills are a must. But CISOs also have to have empathy when dealing with the engineering side.

Regardless of the country in which the company operates and the product it develops, every company is an engineering and data company these days, so the CISO role needs to be close to the engineers, Cipollone opines.

“In the USA I’ve seen CISOs positioned closer to the engineering mindset and to products and delivery. Despite the fact that third-party management and governance are an important role of the CISO, a USA-centered CISO is generally more affected by engineering problems,” he told Help Net Security.

“Some organizations in countries across Europe might be driven more by regulation and by etiquette, so the CISO needs to be closer to vendor management and governance rather than the product side.”

Other key leadership lessons he has learned during his career include:

  • Mentoring – key to forming the next generation of information security professionals
  • Open-source collaboration – helps drive the next generation of products and helps shape the industry
  • Collaboration – the closer the collaboration is with similar industry partners, the more reliable the information is.

Taking care of your team

It’s no secret that security teams are overworked. They are expected to keep a constant, watchful eye over everything that’s happening in an organization and to know everything there is to know about security. That’s a lot of pressure to put on an individual and on a team.

To alleviate it, Cipollone advises maintaining a dynamic, ever-expanding and contracting team.

“We need to consistently add new members to the team from another part of the organization or by using graduate schemes or mentorships. We have to promote cultural and gender diversity and open-mindedness. This enables the team to keep a critical mindset and maintain a fresh view on security problems,” he says.

At the same time, team members must enabled to focus and relax: team building activities, research and industry-wide gatherings should be used and encouraged.

“We need to keep security teams interested by encouraging research (during work hours) and participation in industry events like Cloud Security Alliance, OWASP, ISSA meetups,” he advises.

“We should also encourage giving back. Speaking at conferences and meetups will allow this, and participating in these events helps the team keep up-to-date on the situation in the industry without expensive training. It also allows the team to be ‘injected’ with new ideas.”

from Help Net Security – News

Threat visibility is imperative, but it’s even more essential to act

Cyberthreats are escalating faster than many organizations can identify, block and mitigate them. Visibility into the expanding threat landscape is imperative, but according to a new threat report released by CenturyLink, it is even more essential to act.

threat visibility

“As companies focus on digital innovation, they are entering a world of unprecedented threat and risk,” said Mike Benjamin, head of CenturyLink’s threat research and operations division, Black Lotus Labs.

“Threats continue to evolve, as do bad actors. Well-financed nation-states and focused criminal groups have replaced the lone-wolf troublemaker and less sophisticated attackers motivated by chatroom fame. Thankfully, through our actionable insights, we can defend our network and those of our customers against these evolving threats.”


These rogue networks of infected computers continue to be successful because of the ease with which they compromise their targets and their ability to be operated remotely and covertly.

Botnets like Necurs, Emotet and TheMoon have demonstrated evolutions in both complexity and resiliency. Malware families like Gafgyt and Mirai are also ongoing concerns given their target of IoT devices.


DNS is often overlooked as a potential attack vector. However, we have seen a rise in DNS-based attacks, such as DNS tunneling. A DNS tunneling attack can be used to encode data in the sub domains of a DNS query or response, allowing unabated network access to extract data, subvert security controls or send arbitrary traffic.


DDoS attacks continue to cause service delays and take businesses offline. While we observed ongoing progressions in attack sizes, we also detected an increase in burst attacks, lasting a minute or less.

A point of interest to note, of the top 100 largest attacks, in the first half of the year, 89 percent were multi-vector.

Geography: Geographies with growing IT networks and infrastructure continue to be the primary source for cybercriminal activity. The top five countries most under attack in the first half of 2019 were: The United States, China, India, Russia and Vietnam.

While the United States, China and Russia have appeared on the list year-over-year, India and Vietnam are new to the top five. Most C2 attacks in the first half of 2019 targeted the United States, China, Russia, Netherlands and Mexico. Netherlands and Mexico are new additions to the top five.

from Help Net Security – News

Four in five businesses need ways to better secure data without slowing innovation

While data loss protection is critical to Zero Trust (ZT), fewer than one in five organizations report their data loss prevention solutions provide transformational benefits and more than 80 percent say they need a better way to secure data without slowing down innovation, according to Code42.

secure data without slowing innovation

ZT architectures are based on the principle of “trust no one, verify everything,” abolishing the idea of a trusted network within a data security perimeter and requiring companies to create microperimeters of control around sensitive data.

A key benefit of the ZT model is that it mitigates the growing insider threat of employees quitting and taking sensitive data with them.

“Zero Trust does away with the ridiculous notion that data loss prevention is effective in an increasingly mobile and cloud world. It’s impossible for companies to rely solely on prevention when they need employees to be more productive and collaborative,” says Joe Payne, Code42 president and CEO.

“Further, ZT disproves that looking to employees to classify all data as part of a data loss prevention strategy works – it never has.”

Forrester Consulting adds, “If you don’t have a tool or technology that enables protection from data loss, how will your business survive? Data is digital currency; it is imperative to protect it. Everything else in security is tangential to this critical point.”

The study results, based on a survey of more than 200 IT security decision-makers in the U.S., show that companies are using traditional data loss prevention for their ZT strategies, but those legacy DLP solutions simply aren’t enough:

  • 87 percent of companies in the survey are investing in or have invested in data loss prevention as part of their ZT strategies.
  • 66 percent of survey respondents say their data loss prevention solutions frequently block employees from accessing data even if they are within policy.
  • 73 percent report that employees complain of lost productivity and collaboration.
  • 81 percent feel they need a better way to protect sensitive data without slowing down innovation.

“Any organization that is truly engaged in security, and especially in ZT, must move beyond the old and outdated data loss prevention tools that have proven so inefficient and restrictive,” Forrester Consulting reports.

“Doing anything else is a continued practice in failure and will slow the business and increase the likelihood of a security failure as employees work to maneuver around those legacy data loss prevention tools.”

The survey finds that companies need a next-generation of data loss protection solutions that protect sensitive data without slowing down the pace of innovation. In the next 12 months, organizations are prioritizing as critical the following information/IT security goals and initiatives to the following extent:

  • 52 percent: improve threat detection capabilities.
  • 48 percent: better protect sensitive company and customer data.

Payne concluded, “ZT affirms that all data – sales strategies, marketing campaigns, product prototypes – is important. Organizations need to track its every move because like employees, data never stays in one place.”

from Help Net Security – News

Exploitation of IoT devices and Windows SMB attacks continue to escalate

Cybercriminals upped the intensity of IoT and SMB-related attacks in the first half of 2019, according to a new F-Secure report.

attacks h1 2019

The report underscores the threats IoT devices face if not properly secured when online, as well as the continued popularity of Eternal Blue and related exploits two years after WannaCry.

F-Secure’s honeypots – decoy servers that are set up to lure in attackers for the purpose of collecting information – measured a twelvefold increase in such events compared to the same period a year ago.

The increase was driven by traffic targeting the Telnet and UPnP protocols, which are used by IoT devices, as well as the SMB protocol, which is used by the Eternal family of exploits to propagate ransomware and banking Trojans.

Telnet traffic accounted for the largest share of traffic for the period, with over 760 million attack events logged, or around 26 percent of traffic. UPnP was the next most frequent, with 611 million attacks. SSH, which is also used to target IoT devices, had 456 million attacks.

Likely sources of this traffic are IoT devices infected with malware such as Mirai, which was also the most common malware family seen by the honeypots. Mirai infects routers, security cameras, and other IoT devices that use factory default credentials.

Traffic to SMB port 445 accounted for 556 million attacks. The high level of SMB traffic is an indication that the Eternal family of exploits, the first of which was used in the devastating WannaCry ransomware outbreak of 2017, is still alive and well, trying to ravage millions of still-unpatched machines.

“Three years after Mirai first appeared, and two years after WannaCry, it shows that we still haven’t solved the problems leveraged in those outbreaks,” said F-Secure Principal Researcher Jarno Niemela.

“The insecurity of the IoT, for one, is only getting more profound, with more and more devices cropping up all the time and then being co-opted into botnets. And the activity on SMB indicates there are still too many machines out there that remain unpatched.”

attacks h1 2019

Other findings from the report include:

  • Countries whose IP spaces played host to the highest numbers of attack sources were China, the US, Russia, and Germany.
  • Countries where the most attacks were directed were the US, Austria, Ukraine, UK, the Netherlands, and Italy.
  • The most common delivery method for ransomware during the period was via remote desktop protocol (RDP) at 31% of cases.
  • The greatest share of Telnet traffic came from the US, Germany, UK and the Netherlands.
  • The greatest share of SMB traffic came from China.

from Help Net Security – News

Open source breach and attack simulation tool Infection Monkey gets new features

Guardicore, a leader in internal data center and cloud security, unveiled new capabilities for its Infection Monkey that make it the industry’s first Zero Trust assessment tool.

Infection Monkey tool

Added features extend the functionality of the already successful Infection Monkey, a free, open source breach and attack simulation tool used by thousands to demonstrate and analyze their environments against lateral movement and attacks.

The latest version of Infection Monkey enables both enterprise security leaders and network engineers to determine how their environments perform against a Zero Trust security posture on their path to overall Zero Trust adoption.

Infection Monkey now provides security and network infrastructure teams the ability to easily and accurately examine an enterprise’s adherence to key components of the Zero Trust framework as established by Forrester with detailed explanations of security gaps and prescriptive instructions on how to rectify them.

“A concept first developed by Forrester Research nearly a decade ago, the Zero Trust approach to information security is gaining momentum and driving strategic technical alignment and implementations toward a process focused on building security from the inside out,” said Pavel Gurvich, Co-founder and CEO, Guardicore.

“Yet many organizations are still unsure of how to move from theory to deployment and apply the principles of Zero Trust in their environment. Infection Monkey is the first tool of its kind that allows organizations to safely and easily test their environment’s Zero Trust posture and generate specific recommendations to accelerate and enhance Zero Trust adoption and ensure continued adherence. ”

Infection Monkey with Zero Trust assessment

Infection Monkey enables cybersecurity and infrastructure architects to operationalize Zero Trust by accurately examining an enterprise’s adherence to the pillars of Zero Trust, including detailed explanations of where the enterprise falls short, and instructions on how to address these shortcomings.

Easy to deploy and run, Infection Monkey tests implementation of the Zero Trust framework by attempting to communicate with machines residing in different segments of the enterprise network, demonstrating policy violations, and generating test results with actionable recommendations for remediation.

With prescriptive reporting that can be easily implemented without any additional staff or education, Infection Monkey offers security leaders the ability to illustrate enterprise Zero Trust posture against the Forrester framework with an easy to understand red, yellow, green color scheme.

Like previous versions of Infection Monkey, the latest version runs on bare metal, VMWare, other hypervisors, AWS, Azure, Google, and private clouds.

Availability and contributions

Guardicore Infection Monkey source code is currently available from the GitHub repository. Added capabilities for Zero Trust assessment and deployments for the AWS Marketplace, Microsoft Azure Marketplace and Google Cloud Platform Marketplace will be available for download at the end of the quarter.

Infection Monkey is available for Linux, Windows, AWS, Azure, Google Cloud Platform, VMWare and Docker environments.

from Help Net Security – News

Only one quarter of retail banks have adopted an integrated approach to financial crime systems

Most banks plan to integrate their fraud and financial crime compliance systems and activities in response to new criminal threats and punishing fines, with the U.K. leading the pack, according to a survey by Ovum, on behalf of FICO.

banks financial crime compliance

Responses show that U.S. systems are less integrated than Canada’s – only 25 percent of U.S. banks have a common reporting line for both fraud and compliance, versus 60 percent for Canada.

The survey also found that 72% of U.S. banks surveyed have strategic plans for further integration. Worldwide, 71% of banks across the regions surveyed have integration strategies, to either fully integrate functions or share resources where synergies exist with the U.K. leading the way, followed closely by the U.S.

These goals are driven by considerations both financial and strategic: Since the 2008 financial crisis, regulatory fines for the global banking industry for compliance breaches related to compliance or sanctions failures now total more than $28 billion (all figures USD), with some single fines as high as $8.9 billion. However, this regulatory ‘stick’ is only one driver for banks to tackle financial crime — banks also wish to protect their customers and themselves.

“Banks are asking a fundamental question: Is the current approach to tackling financial crime sustainable or should they seek a more integrated approach between fraud and anti-money laundering (AML) compliance?” said TJ Horan, vice president of fraud solutions at FICO.

“U.S. banks are all too familiar with the challenges presented by a disconnected approach, but struggle to manage high workload volumes and ensure detection rates are high.”

Though the world’s banks appear united in their pursuit of integration, FICO’s survey found significant differences between approaches among the ten countries studied.

U.S. banks reported lower levels of integration than their U.K. counterparts in six out of seven areas. Even at their highest levels of integration, data and investigation systems, just over half of U.K. banks said their fraud and financial crime compliance systems were very integrated.

Worldwide, it’s clear the banking industry has only started the process of bringing these functions closer together.

Most respondents received high marks when it came to strategic planning, with most having strategic plans to either fully integrate their functions or share resources where synergies exist.

“Convergence is a hot trend in the fraud and financial crime compliance space,” Horan said. “Overall, our survey shows that banks are moving in this direction, though the U.S. is further behind than most countries surveyed.”

Ovum surveyed over 100 retail banks on their priorities, challenges, and plans for financial crime, looking to assess the maturity of the sector in tackling financial crime, and ambitions towards integration. In addition to the U.S., Canada, and the U.K., respondents came from South Africa, Scandinavia, Germany, and Austria.

from Help Net Security – News

Cyber Battle of the Emirates: Training the next generation of cyber security pros

Held annually in Asia, Europe and the Middle East, Hack In The Box conferences bring together the world’s top cyber security experts to share and discuss their latest knowledge, ideas and techniques with security professionals and students.

HITB Cyber Battle of the Emirates

The next HITB event is HITB+ CyberWeek, which takes place October 12th – 17th at Emirates Palace, Abu Dhabi. As usual, it will offer security trainings, talks, and live challenges.

Cyber Battle of the Emirates

Among the live competitions to be held at the conference is the Cyber Battle of the Emirates (previously known as Cyber Quest), which will witness teams of high school and university students battle it out for the first place in the finals, a spot in the HITB+ CyberWeek PRO CTF contest, and the opportunity to win hefty monetary prizes and a trip to HITB Amsterdam in 2020.

All high school and university students studying across the United Arab Emirates are welcome to apply to enter the Cyber Battle of the Emirates.

After a technical pre-assessment, those chosen to participate were called in to go through a 4-days hands-on cyber security training program and have all of September to hone their skills on a custom-built continuous learning platform with a range of cyber exercises developed by Estonian cyber capabilities’ development company BHC Laboratory in collaboration with HITB.

HITB⁺ Cyber Battle of the Emirates finals will take place on October 13th & 14th at HITB+ CyberWeek, to be followed by the HITB+ CyberWeek PRO CTF contest on October 15th, 16th & 17th.

from Help Net Security – News