Time to get back to school!Now that everybody is getting to swap stories about what they did on their summer vacations, it might be fitting to review some of the top issues CSOs are most likely going to face in the coming months, and while much of this may seem old hat to the veteran security leaders, it never hurts to get a refresher course. In Part One of a two-part series on \u201cGetting Back to Basics,\u201d let\u2019s look at five issues that make this season\u2019s Honor Roll for trouble-making among the corporate halls.1. CEO FraudEmail phishing is on the rise, but no more recurring than in targeting the corner office.The FBI\u2019s Internet Crime Center reported recently that \u201cfraud\u201d at the C-suite level has resulted in more than $200 million in losses in 2016 alone!CEO fraud is most often linked with email scams in which would-be attackers trick the staff into thinking they are the senior executives, contacting them for some bit of controlled information (like a file, password, account name or client list). The results always lead to illegal access to funds and a file transfer of some kind, compromising the Big Boss and costing thousands\u2014if not millions\u2014in lost capital or assets.With more than $2 billion in total lost assets reported over the last three years, according to the FBI, the challenge with this increasing problem is that these types of attacks are very specific, limited, and often slip in under the watchful eyes of regular filter systems. To combat this problem, the watchword is \u201cvigilance,\u201d according to Senior Litigation Lawyer and Partner at De Grandpre\u2019 Chait, Ron Levy: \u201cTo guard against fraud, it is crucial to understand the level of sophistication involved and immediately take steps to ensure that processes designed to protect you are put in place,\u201d writes Levy. CEOs must have their filters configured to read \u201cTo\u201d address fields, quarantining any emails with unknown or dubious address strings (even if they contain names of people who are known to them). On the other side of the desk, employees should understand their role in preventing phishing campaigns, and ensure all updates, filters, anti-malware and other security controls are updated, and that if they do get a note from the Boss\u2014be sure they verify it\u2019s from that corner office upstairs, and not from some corner of Botswana.\u00a02. Mobile device securityAccording to Forbes\u2019 \u201cUntethered Executive,\u201d 90 percent of business leaders use a smartphone every day, and the rate of tablets replacing traditional office workstation PCs and Laptops is outpacing market supply. Executives not only use mobile devices for work during business hours, but it has become their \u201coffice\/home\/business away from everything else\u201d mode of communication.Because executives hold the fabled \u201ckeys to the kingdom,\u201d they are especially susceptible to being targets and being targeted for fraud and \u201c...\u00a0in the middle\u201d types of attacks on their respective infrastructures. Here are a couple of things executives can do immediately to improve risk management at their level:Routine device assessment: What is being used and how? For example, are you using the current version of software on your Android device? Is your iPhone encrypted? Do you use an RSA token when establishing a link into the corporate network?Regular executive updates:\u00a0Mike Tierney, in a recent Dark Reading article, emphasizes the fact that \u201cno one possess more sensitive information than upper management.\u201d But what does the senior management team know about \u201cRisk\u201d and how it affects them in their day-to-day operations? For example, is there a resource in the organization that can provide regular updates and current news and information about relevant security issues that directly \/indirectly impact the business, its market, its operations, its clients? This could be anything from daily briefings on natural disasters to updates on the latest security breach\u2014depending on level of \u201crisk\u201d that needs to be articulated to the executive staff. In its \u201cGlobal Cyber Executive Briefing,\u201d Deloitte makes the important point, \u201cEvery organization has valuable data to lose.\u201dSecuring wireless access points: Who has access to the Jewels, for how long & why? Incorporating something as simple as ensuring the SSID feature is being used in the \u201cwireless network\u201d settings options can be an extra precaution to secure wireless access. Here are nine easy steps to share with the boss (and his family) on how to secure wireless access points.Dedicated resources are inevitable: Who \u201cmanages\u201d the management? Is there a designated \u201ckey management support\u201d role on your staff? Many organizations are implementing a two-person back-up and access redundancy, which provides the additional value of sharing the trust (as well as the accountability for what is being \u201ctrusted\u201d). While executives are good at being \u201cexecutives,\u201d it doesn\u2019t hurt to bring in an SME or two to keep things safe while the bosses are away, writes Ricoh Danielson. \u201cWork to create a culture that allows others to work together in the interest of security.\u201dUpgrade legacy systems: (\u201cWe know you like your palm, but\u2026\u201d). Advancements in technology needs to make sense for everybody in the organization\u2014including the C-Suite. Moving off outdated applications and systems to newer tech is often fraught with complexity, but is essential to keep costs of management\/ maintenance (and security) in check. Here\u2019s a five-step process offered by Samsung to help keep the peace during a legacy migration. If the policy is meant to keep the business safe at all levels, then the Boss will have to surrender that old Galaxy Note for the new version (as long as it\u2019s part of a defined migration strategy). Vendors such as Lookout do a pretty good job of providing an added layer of security for mobile devices.3. Remote and travel Wi-Fi risksWhen defending the business environment and protecting sensitive information, business operations must run seamlessly and consistently, based on a set of frameworks, policies and mandates that have been articulated by the organization, and remote access\u00a0must be treated as a privilege from all points throughout the organization. Symantec suggests a good offense starts with a good defense.For contingency, business continuity and DLP purposes, key decision makers from across the organization must work in concert and agree on a forced (and fixed) set of parameters for operating in remote computing conditions, and should address the following key elements to maintain vigilance over corporate assets:Mobility: The world of mobile computing has become the new standard for organizations as well as individuals. With Gartner\u2019s report of more than $100 billion to be spent on IT security by next year, the level of flexibility in what can be used as \u201cremote devices,\u201d and whether the range of acceptable devices can be \u201chardened\u201d by the organization (to meet GRC \/ ISMS \/ Security Mandate requirements), can become a major investment for any size organization.Connectivity: Executives often require a higher degree of accessibility, as well as flexibility in communicating with the corporate assets. Execs must remain productive and accessible with colleagues and clients with more flexibility than their respective subordinates. Because of the rate of speed in which \u201cbusiness\u201d is now conducted from day to day, IT infrastructures must maintain even greater vigilance (while maintaining a sense of decorum), as business executives are required to do more \u201cfrom the road\u201d than from the office. Keeping sensitive information by exposing it to unprotected environments is an important element in balancing \u201caccessibility\u201d with protecting critical assets.Accessibility:\u00a0 It\u2019s often about \u201crisk appetite\u201d and \u201crisk tolerance.\u201d Who has access is important, but \u201cwhat is being accessed and why?\u201d can be mission-critical to the long-term success (and failure) of a business and its executive team. Maintaining a predetermined set of operating guidelines for which part of the organization is accessed, by whom, for how long and from which devices\/location, can mean the difference between compromise and catastrophic failure.4. Social media precautions for executivesSocial media risks associated with Facebook, Twitter\u00a0and LinkedIn can create greater headaches for CSOs and their teams, despite the fast and convenient ways to stay in touch with friends and family while working from controlled devices. With over two billion active users monthly, Facebook is the largest social media on the web.\u00a0 Companies can set up groups for employees, allowing messages to reach all members simultaneously. Individuals can broadcast information from the mundane to the profound, and many keep a steady stream of Facebook postings and tweets, creating a following that can number in the millions (usually for actors and media personalities.)Sharing information is a social norm, but oversharing information creates its own dangers, in particular for executives. By identifying one\u2019s senior role in a company or organization, executives may be singled out for exploitation by attackers looking to gain a foothold in a corporate information network.\u00a0 For example, many corporate IT systems have \u201clost password\u201d reset questions to save money on tedious help desk calls that can be resolved automatically. But if the answer to \u201cWhat is the name of your favorite pet?\u201d is readily available in your Facebook profile, then regardless of the complexity of your password, you\u2019ve lost control of your account.In addition, you or family members posting vacation plans, photos, or narratives usually allow anyone who can see your postings to assess whether your home is ripe for burglary, your staff expects you to be out of touch, or creates a plausible explanation for why \u201cyou\u201d are contacting corporate from an unusual email or phone number.\u00a0 \u00a0\u00a05. The rise of ransomware & bitcoinRansomware is an attack that involves criminals encrypting a victim\u2019s files, and then sending a demand for payment to obtain the decryption key. The FBI estimates that over one billion dollars in extortion payments were made last year, which has only encouraged the proliferation of these digital weapons, usually from locations out of reach of U.S. law enforcement. Not every instance of ransomware is the same; there have been dozens of new variants in the last three years. Some encrypt only files on a victim\u2019s hard drive; others are designed to spread throughout the corporate network, encrypting everything in its path.Many ransomware payments are denominated in a cryptocurrency called \u201cBitcoin,\u201d which is a form of currency taking the C-suite by storm, according to National Security Corporation President and SANS Instructor, G. Mark Hardy: \u201cBitcoin is a distributed ledger maintained by software that uses encryption to protect prior entries from alteration, while creating an interface to add new transactions,\u201d he writes. \u201cBecause of its relative untraceability, Bitcoin has become an anonymous payment mechanism of choice for criminals, even though it has many legitimate uses. Ransom is often due in 24 or 48 hours before it goes up or the key is destroyed forever. Thus, having a member of your team know how to purchase Bitcoin (or holding some as a contingency) is a prudent precaution.\u201dRansomware often arrives as an email attachment or as a clickable link in a message that takes the victim to an infected website. Sometimes legitimate websites are infected with tools called exploit kits that are silently downloaded while the user looks at the \u201cnormal\u201d page. These kits look for unpatched vulnerabilities or out-of-date software that allows the attackers to install malware that can search for sensitive files and begin the encryption process.Infected attachments usually require the user to take an additional action such as \u201copen this file,\u201d \u201cenable macros,\u201d or \u201cenable content.\u201d Rarely is this a requirement for legitimate correspondence, but many people click through without thinking as they have not been sensitized to the risk of what these files can do. Emails that appear to come from known correspondents raise less suspicion; thus some attack tools harvest a victim\u2019s email contacts for spreading their malicious content.Hardy suggests that paying ransom is not a matter of principle, \u201cit\u2019s a matter of operational effectiveness.\u201d If an enterprise does not have regular, complete backups, it is faced with the prospect of extended downtime which may cost many thousands per hour, as compared to the payment of several hundred with the (unproven) promise of getting files back. Although attackers often deliver, not all do. Discuss with your legal team now the ramifications of paying or negotiating ransom, and whether or not any reporting or shareholder disclosures are required. Ransomware is unlikely to vanish in the near future; consider it an ongoing threat that requires predetermined courses of action to allow fast response.Next time we\u2019ll round out the \u201cTop 10\u201d with a closer look at the latest trends in whaling, email threats, doing \u201chomework,\u201d and how to destroy files (yes\u2014seriously!)It\u2019s been a busy summer.