• United States




What I learned about risk on my summer vacation

Aug 29, 201711 mins
Risk ManagementSecurity

10 homework assignments CSOs can give their teams to keep their bosses safe (and stay out of the principal's office!)

Time to get back to school!

Now that everybody is getting to swap stories about what they did on their summer vacations, it might be fitting to review some of the top issues CSOs are most likely going to face in the coming months, and while much of this may seem old hat to the veteran security leaders, it never hurts to get a refresher course. In Part One of a two-part series on “Getting Back to Basics,” let’s look at five issues that make this season’s Honor Roll for trouble-making among the corporate halls.

1. CEO Fraud

Email phishing is on the rise, but no more recurring than in targeting the corner office.

The FBI’s Internet Crime Center reported recently that “fraud” at the C-suite level has resulted in more than $200 million in losses in 2016 alone!

CEO fraud is most often linked with email scams in which would-be attackers trick the staff into thinking they are the senior executives, contacting them for some bit of controlled information (like a file, password, account name or client list). The results always lead to illegal access to funds and a file transfer of some kind, compromising the Big Boss and costing thousands—if not millions—in lost capital or assets.

With more than $2 billion in total lost assets reported over the last three years, according to the FBI, the challenge with this increasing problem is that these types of attacks are very specific, limited, and often slip in under the watchful eyes of regular filter systems. To combat this problem, the watchword is “vigilance,” according to Senior Litigation Lawyer and Partner at De Grandpre’ Chait, Ron Levy: “To guard against fraud, it is crucial to understand the level of sophistication involved and immediately take steps to ensure that processes designed to protect you are put in place,” writes Levy. CEOs must have their filters configured to read “To” address fields, quarantining any emails with unknown or dubious address strings (even if they contain names of people who are known to them). On the other side of the desk, employees should understand their role in preventing phishing campaigns, and ensure all updates, filters, anti-malware and other security controls are updated, and that if they do get a note from the Boss—be sure they verify it’s from that corner office upstairs, and not from some corner of Botswana. 

2. Mobile device security

According to Forbes’ “Untethered Executive,” 90 percent of business leaders use a smartphone every day, and the rate of tablets replacing traditional office workstation PCs and Laptops is outpacing market supply. Executives not only use mobile devices for work during business hours, but it has become their “office/home/business away from everything else” mode of communication.

Because executives hold the fabled “keys to the kingdom,” they are especially susceptible to being targets and being targeted for fraud and “… in the middle” types of attacks on their respective infrastructures. Here are a couple of things executives can do immediately to improve risk management at their level:

  • Routine device assessment: What is being used and how? For example, are you using the current version of software on your Android device? Is your iPhone encrypted? Do you use an RSA token when establishing a link into the corporate network?
  • Regular executive updates: Mike Tierney, in a recent Dark Reading article, emphasizes the fact that “no one possess more sensitive information than upper management.” But what does the senior management team know about “Risk” and how it affects them in their day-to-day operations? For example, is there a resource in the organization that can provide regular updates and current news and information about relevant security issues that directly /indirectly impact the business, its market, its operations, its clients? This could be anything from daily briefings on natural disasters to updates on the latest security breach—depending on level of “risk” that needs to be articulated to the executive staff. In its “Global Cyber Executive Briefing,” Deloitte makes the important point, “Every organization has valuable data to lose.”
  • Securing wireless access points: Who has access to the Jewels, for how long & why? Incorporating something as simple as ensuring the SSID feature is being used in the “wireless network” settings options can be an extra precaution to secure wireless access. Here are nine easy steps to share with the boss (and his family) on how to secure wireless access points.
  • Dedicated resources are inevitable: Who “manages” the management? Is there a designated “key management support” role on your staff? Many organizations are implementing a two-person back-up and access redundancy, which provides the additional value of sharing the trust (as well as the accountability for what is being “trusted”). While executives are good at being “executives,” it doesn’t hurt to bring in an SME or two to keep things safe while the bosses are away, writes Ricoh Danielson. “Work to create a culture that allows others to work together in the interest of security.”
  • Upgrade legacy systems: (“We know you like your palm, but…”). Advancements in technology needs to make sense for everybody in the organization—including the C-Suite. Moving off outdated applications and systems to newer tech is often fraught with complexity, but is essential to keep costs of management/ maintenance (and security) in check. Here’s a five-step process offered by Samsung to help keep the peace during a legacy migration. If the policy is meant to keep the business safe at all levels, then the Boss will have to surrender that old Galaxy Note for the new version (as long as it’s part of a defined migration strategy). Vendors such as Lookout do a pretty good job of providing an added layer of security for mobile devices.

3. Remote and travel Wi-Fi risks

When defending the business environment and protecting sensitive information, business operations must run seamlessly and consistently, based on a set of frameworks, policies and mandates that have been articulated by the organization, and remote access must be treated as a privilege from all points throughout the organization. Symantec suggests a good offense starts with a good defense.

For contingency, business continuity and DLP purposes, key decision makers from across the organization must work in concert and agree on a forced (and fixed) set of parameters for operating in remote computing conditions, and should address the following key elements to maintain vigilance over corporate assets:

  • Mobility: The world of mobile computing has become the new standard for organizations as well as individuals. With Gartner’s report of more than $100 billion to be spent on IT security by next year, the level of flexibility in what can be used as “remote devices,” and whether the range of acceptable devices can be “hardened” by the organization (to meet GRC / ISMS / Security Mandate requirements), can become a major investment for any size organization.
  • Connectivity: Executives often require a higher degree of accessibility, as well as flexibility in communicating with the corporate assets. Execs must remain productive and accessible with colleagues and clients with more flexibility than their respective subordinates. Because of the rate of speed in which “business” is now conducted from day to day, IT infrastructures must maintain even greater vigilance (while maintaining a sense of decorum), as business executives are required to do more “from the road” than from the office. Keeping sensitive information by exposing it to unprotected environments is an important element in balancing “accessibility” with protecting critical assets.
  • Accessibility:  It’s often about “risk appetite” and “risk tolerance.” Who has access is important, but “what is being accessed and why?” can be mission-critical to the long-term success (and failure) of a business and its executive team. Maintaining a predetermined set of operating guidelines for which part of the organization is accessed, by whom, for how long and from which devices/location, can mean the difference between compromise and catastrophic failure.

4. Social media precautions for executives

Social media risks associated with Facebook, Twitter and LinkedIn can create greater headaches for CSOs and their teams, despite the fast and convenient ways to stay in touch with friends and family while working from controlled devices. With over two billion active users monthly, Facebook is the largest social media on the web.  Companies can set up groups for employees, allowing messages to reach all members simultaneously. Individuals can broadcast information from the mundane to the profound, and many keep a steady stream of Facebook postings and tweets, creating a following that can number in the millions (usually for actors and media personalities.)

Sharing information is a social norm, but oversharing information creates its own dangers, in particular for executives. By identifying one’s senior role in a company or organization, executives may be singled out for exploitation by attackers looking to gain a foothold in a corporate information network.  For example, many corporate IT systems have “lost password” reset questions to save money on tedious help desk calls that can be resolved automatically. But if the answer to “What is the name of your favorite pet?” is readily available in your Facebook profile, then regardless of the complexity of your password, you’ve lost control of your account.

In addition, you or family members posting vacation plans, photos, or narratives usually allow anyone who can see your postings to assess whether your home is ripe for burglary, your staff expects you to be out of touch, or creates a plausible explanation for why “you” are contacting corporate from an unusual email or phone number.    

5. The rise of ransomware & bitcoin

Ransomware is an attack that involves criminals encrypting a victim’s files, and then sending a demand for payment to obtain the decryption key. The FBI estimates that over one billion dollars in extortion payments were made last year, which has only encouraged the proliferation of these digital weapons, usually from locations out of reach of U.S. law enforcement. Not every instance of ransomware is the same; there have been dozens of new variants in the last three years. Some encrypt only files on a victim’s hard drive; others are designed to spread throughout the corporate network, encrypting everything in its path.

Many ransomware payments are denominated in a cryptocurrency called “Bitcoin,” which is a form of currency taking the C-suite by storm, according to National Security Corporation President and SANS Instructor, G. Mark Hardy: “Bitcoin is a distributed ledger maintained by software that uses encryption to protect prior entries from alteration, while creating an interface to add new transactions,” he writes. “Because of its relative untraceability, Bitcoin has become an anonymous payment mechanism of choice for criminals, even though it has many legitimate uses. Ransom is often due in 24 or 48 hours before it goes up or the key is destroyed forever. Thus, having a member of your team know how to purchase Bitcoin (or holding some as a contingency) is a prudent precaution.”

Ransomware often arrives as an email attachment or as a clickable link in a message that takes the victim to an infected website. Sometimes legitimate websites are infected with tools called exploit kits that are silently downloaded while the user looks at the “normal” page. These kits look for unpatched vulnerabilities or out-of-date software that allows the attackers to install malware that can search for sensitive files and begin the encryption process.

Infected attachments usually require the user to take an additional action such as “open this file,” “enable macros,” or “enable content.” Rarely is this a requirement for legitimate correspondence, but many people click through without thinking as they have not been sensitized to the risk of what these files can do. Emails that appear to come from known correspondents raise less suspicion; thus some attack tools harvest a victim’s email contacts for spreading their malicious content.

Hardy suggests that paying ransom is not a matter of principle, “it’s a matter of operational effectiveness.” If an enterprise does not have regular, complete backups, it is faced with the prospect of extended downtime which may cost many thousands per hour, as compared to the payment of several hundred with the (unproven) promise of getting files back. Although attackers often deliver, not all do. Discuss with your legal team now the ramifications of paying or negotiating ransom, and whether or not any reporting or shareholder disclosures are required. Ransomware is unlikely to vanish in the near future; consider it an ongoing threat that requires predetermined courses of action to allow fast response.

Next time we’ll round out the “Top 10” with a closer look at the latest trends in whaling, email threats, doing “homework,” and how to destroy files (yes—seriously!)

It’s been a busy summer.


U.S. Navy Veteran Drew Williams has a core philosophy about life and work: "Keep busy, stay engaged, and always be productive." Whether as a writer, video producer, lecturer or educator, Drew has been involved in information risk management since the mid-80s. He has developed and published Information Security standards and guidelines.

During the late 1990s, Drew contributed to re-tooling security policies for some of the largest financial institutions in the world, and worked on early adoption of GRC standards and frameworks (SOX, ITIL, ISO27799, CObIT). An original contributor to the HIPAA Security Policy (1995-1996), Drew wrote one of the early security policy guides, "HIPAA Code Blue."

As former product manager for what was the world's top Host Intrusion Detection System (AXENT/Intruder Alert), Drew also contributed to IT security initiatives (IETF / NIST), and worked with MITRE to build the Common Vulnerabilities Enumeration (CVE) framework. Drew served on the President's Council on Critical Infrastructure Security (precursor to DHS), and worked on the NIST's "Common Criteria" directives.

Drew co-authored some of the industry’s first Incident Response & Information Security Risk Assessment Services while head of the SWAT Team at AXENT/Symantec (1997-2002), and from 2006 to 2011, Drew hosted Asia's "Hacker Halted" security symposium.

As founder of Condition Zebra (2011) Drew developed information security readiness programs & mission-critical risk assessments for ministries of defense throughout Asia. He also co-developed post-graduate programs on cybersecurity at Utah Valley University and Southern Utah University, the latter where he also serves as a member of the faculty in the Graduate Program.

Drew also initiated the first "Gold" funding opportunities for the annual Black Hat Briefings in Las Vegas in 2000. A former speaker at CSI/FBI and N+i events during the 1990s-2000's, Drew is also a member of the “Founder’s Circle” at the annual RSA Security Conference, and has been a contributing source in broadcast media, including MSNBC, CNN, and NPR, and has been featured in USA Today, The Washington Post and publications throughout the US and Europe.

The opinions expressed in this blog are those of Drew Williams and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.