CORE Security credits its unique perspective on data security to something many companies wouldn't even admit. The company, a provider of predictive security intelligence solutions, concedes it "has a number of hackers on staff," presumably of the white-hat variety.
Last week, it issued some tips from those hackers on ways to keep social networks like Facebook "hack free" during the busy holiday week. The advice:
- Before you enter your Facebook password, confirm the URL is https://www.facebook.com. Hackers will try and trick you by displaying fake login pages, but faking the URL is much harder to do.
- Always make sure you're using an SSL/HTTPS connection anytime you enter your password. Remember that even after you log in to Facebook, an attacker could still try to steal your cookies and pretend to be you.
- Don’t click on any links in emails that claim to be from Facebook. Instead, open Facebook manually and use the notification feature to see the friend request or message. Faking a friend request or notification is very easy to do, and an attacker will replace the links in the email with links taking you to fake log-in pages to steal your credentials.
- Use a unique password for Facebook. If you use the same one you use for your email or banking, you'll sustain far more damage if your account is hacked.
While those tips may seem obvious to data professionals, they underscore something CORE Security found in a survey it released earlier this month: Basically, far too few people, whether they're holiday travelers or CEOs, have a clue about data threats or potential defenses.
The survey found there's a big difference in the ways CEOs and chief information security officers (CISO) view threats to IT infrastructure security -- an issue that by some estimates costs organizations more than $30 billion annually. It found a clear lack of communication between the offices of the CEO and CISO. In fact, more than 36 percent of CEOs said the CISO never reports to them on the state of IT infrastructure security. What's worse, the CEOs don’t seem to care.
"The CEO is obviously further removed from the specifics of the threats and defenses that have been established to thwart them than the CISO. However, the one data point I am having a difficult time comprehending is the apparent lack of interest in security from the top executive," noted Mark Hatton, president and CEO of CORE Security.
Only 27 percent of the CEOs surveyed reported receiving security updates "on a somewhat regular basis."
CEOs and CISOs also have different views on the sources of threats. CISOs worry about the workforce and "a lack of employee education and diligence," while CEOs fear external phishing attacks. But consider this: More than 60 percent of CISOs are very concerned that their IT systems could experience a breach -- but only 15 percent of CEOs are worried about the same thing.
The survey, conducted in April for CORE Security by Research Now, is based on responses from 100 CEOs and 100 CISOs/C-level security leads. You can read more about it here. And tomorrow, we'll talk to CORE Security's Milan Shah, senior vice president of products and engineering, who drives the company's product management and development functions.