CORE Security credits its unique perspective on data security to something many companies wouldn't even admit. The company, a provider of predictive security intelligence solutions, concedes it "has a number of hackers on staff," presumably of the white-hat variety.
Last week, it issued some tips from those hackers on ways to keep social networks like Facebook "hack free" during the busy holiday week. The advice:
Before you enter your Facebook password, confirm the URL is https://www.facebook.com. Hackers will try and trick you by displaying fake login pages, but faking the URL is much harder to do.
Always make sure you're using an SSL/HTTPS connection anytime you enter your password. Remember that even after you log in to Facebook, an attacker could still try to steal your cookies and pretend to be you.
Don’t click on any links in emails that claim to be from Facebook. Instead, open Facebook manually and use the notification feature to see the friend request or message. Faking a friend request or notification is very easy to do, and an attacker will replace the links in the email with links taking you to fake log-in pages to steal your credentials.
Use a unique password for Facebook. If you use the same one you use for your email or banking, you'll sustain far more damage if your account is hacked.
While those tips may seem obvious to data professionals, they underscore something CORE Security found in a survey it released earlier this month: Basically, far too few people, whether they're holiday travelers or CEOs, have a clue about data threats or potential defenses.
The survey found there's a big difference in the ways CEOs and chief information security officers (CISO) view threats to IT infrastructure security -- an issue that by some estimates costs organizations more than $30 billion annually. It found a clear lack of communication between the offices of the CEO and CISO. In fact, more than 36 percent of CEOs said the CISO never reports to them on the state of IT infrastructure security. What's worse, the CEOs don’t seem to care.
"The CEO is obviously further removed from the specifics of the threats and defenses that have been established to thwart them than the CISO. However, the one data point I am having a difficult time comprehending is the apparent lack of interest in security from the top executive," noted Mark Hatton, president and CEO of CORE Security.
Only 27 percent of the CEOs surveyed reported receiving security updates "on a somewhat regular basis."
CEOs and CISOs also have different views on the sources of threats. CISOs worry about the workforce and "a lack of employee education and diligence," while CEOs fear external phishing attacks. But consider this: More than 60 percent of CISOs are very concerned that their IT systems could experience a breach -- but only 15 percent of CEOs are worried about the same thing.
The survey, conducted in April for CORE Security by Research Now, is based on responses from 100 CEOs and 100 CISOs/C-level security leads. You can read more about it here. And tomorrow, we'll talk to CORE Security's Milan Shah, senior vice president of products and engineering, who drives the company's product management and development functions.
Daniel writes We have to take atmost caution about the genuinty of GUI before inputting the credentials. Now a day's lots of spam mails are flooding to inbox asking for login to social media networks for different offer and other things. It seems that in most cases, the links are redirecting to fake login pages, similar to phishing. So I think it's always better to have a look for the IP address, before inputting any details.
This seems an appropriate point to post a little warning (which many of you may have already seen) about the DNS Changer malware issue, which has involved infecting PCs worldwide to redirect server link requests to "counterfeit" sites.
The Apocalypse arrives tomorrow, so be forewarned that you should check to ensure that either you're not infected, or you've used the proper disinfectant. It's kinda complicated, involving the FBI usurping and appropriating the malicious servers and maintaining re-routing for the convenience of victims, but the FBI is gonna shut down the hijacked servers (are you still following me on this?), but anyway, don't worry about the details...
The important thing is, there's an excellent article in the LA Times which provides several alternatives for checking out your system:
Here's how to check your computer for the DNS Changer Malware
It may cost an organization millions to protect all their data. A practical way to look at the situation is to focus on protecting the most critical data first. Management should be educated and know where there most critical data is as well be able to maneuver the right security measures that are to be implemented, testing systems
Another avenue through which facebook logins could pose a security threat is the third party logins where you can enter a site using your facebook login. This means if you log into a dubious site using your facebook password it could get tapped from there. Potentially a risky feature ...on most sites i do not know, i rather go the long route and create an account.
On the notification emails, it is sometimes tempting since they could be a shortcut to seeing what's on FB without logging in, but i guess it worth the trouble to log in for you own safety.
I feel that organogram in many organizations is such that CISO isnt either powerful enough or lacks coordination with the CEO due to the stated structure. May be the reason for that is that the CISO's role is a specific one and CEO feels that the role doesnt have widespread implications in the organization hence there is no need for a direct reporting line. I have seen CIOs are relatively in a better position to communicate with CEO compared to CISO.
However, when security breaches causing large-scale disasters occur, CISOs are deemed to be involved with the organizational leadership so that consequences can be avoided.
@ Noreen, I think hiring hackers is a two edge sword. I think of those individuals in Russia who will illegally hack into something, then freely advertise their services. I know corporations will hire former criminials to hack them, but I often wonder, how do they know that hacker isn't doing something behind the scene? On the other hand, you need those talents to test a system.
On another note, the thing that people need to be aware is that if their is only a 1% chance of something happening, that is actually a big number. And that 1% chance isn't someone else, but it's you.
Unfortunately, security isn't one of those things that CEOs want to talk about. Their concern is placed on availability, usability and project status. Security is usually a small part of those bigger containers. That doesn't mean that the issues aren't being addressed it just means that the focus typically isn't that narrow.
Now as far as using white hats to counter black hats, I think it's important to follow what the white hats are doing and to understand how the projects they are working on might impact your company, I don't think it's necessary or wise to actively employ a white hat. The legal issues of reverse engineering someone's software package for example isn't an area too many companies want to get involved in.
Noreen, you are right. We have to take atmost caution about the genuinty of GUI before inputting the credentials. Now a day's lots of spam mails are flooding to inbox asking for login to social media networks for different offer and other things. It seems that in most cases, the links are redirecting to fake login pages, similar to phishing. So I think it's always better to have a look for the IP address, before inputting any details.
This is a growing trend in IT defense, isn't it? I've been reading about such defenses on other blogs. I think using Honeypots and other mechanisms might be better suited to gaining predictive insight. Counterstrikes are probably not such a good idea considering the potential for collateral damage on the system you're trying to defend.
Interesting disconnet between the to different "C" people. Perhaps the disparity can be explained that the CISO focuses on the company's IT and knows the nuts and bolts behind the network and risk threats. The CEO on the other hand has multiple worries to dwell on, i.e., revenue and the bottom line.
Of course, if the company's system is hacked and piles of customers' passwords are stolen that can put a damper on the bottom line results. In assessing the practice to employ white-hat hackers to combat the bad guys, it falls into the category of, "it takes one to know one."
Diego Klabjan, chair of the INFORMS University Analytics Program Committee and program director for Northwestern University's Master of Science in Analytics program, gives his advice for figuring out where to get an advanced analytics degree.
2014 VA Interactive Roadshow -- Cary, NCThe 2014 VA Interactive Roadshow will feature SAS® Data Management and SAS® Visual Analytics experts covering topics like prepping data for VA and VA integration with SAS® Office Analytics. This year's events will keep presentations at a minimum and focus on giving attendees hands-on exposure to the latest version of VA.
Essential Practice Skills for Analytics Professionals Drawing on best practices from the field, this INFORMS course helps analytics professionals add value from beginning to end: listening to clients, framing the central problem, scoping a project, defining metrics for success, creating a work plan, assembling data and expert sources, selecting modeling approaches, validating and verifying analytical results, communicating and presenting results to clients, driving organizational change, and assessing impact.
Analytics 2014 The Analytics 2014 Conference is a two-day, educational event for anyone who is serious about analytics. This annual event brings together hundreds of professionals, industry experts and leading researchers in the field of analytics. All Analytics members save $500 on conference fees by using promo code ACAA.
Premier Business Leadership Series 2014 The Premier Business Leadership Series is an exclusive event for senior executives and decision makers that focuses on solving the current issues that affect governments and businesses globally. The Series is a unique learning and networking experience focused on the most innovative leadership strategies and analytic solutions for competing in todayâ€™s global economy.
2014 VA Interactive Roadshow -- BostonThe 2014 VA Interactive Roadshow will feature SAS® Data Management and SAS® Visual Analytics experts covering topics like prepping data for VA and VA integration with SAS® Office Analytics. This year's events will keep presentations at a minimum and focus on giving attendees hands-on exposure to the latest version of VA.
Data Exploration & Visualization Get hands-on training that focuses on the critical steps in the process of analyzing data: accessing and extracting data, cleaning and preparing data, exploring and visualizing data. This INFORMS course will use several of the most popular software tools intensively, and provide an overview of the range of software options.
Foundations of Modern Predictive Analytics In this INFORMS course, learn about modern predictive analytics, the science of discovering and exploiting complex data relationships. This course will give participants hands-on practice in handling real data types, real business problems and practical methods for delivering business-useful results.
2014 VA Interactive Roadshow -- AtlantaThe 2014 VA Interactive Roadshow will feature SAS® Data Management and SAS® Visual Analytics experts covering topics like prepping data for VA and VA integration with SAS® Office Analytics. This year's events will keep presentations at a minimum and focus on giving attendees hands-on exposure to the latest version of VA.
LEADERS FROM THE BUSINESS AND IT COMMUNITIES DUEL OVER CRITICAL TECHNOLOGY ISSUES
The Current Discussion
Visual Analytics: Who Carries the Onus? The Issue: Data visualization is an up-and-coming technology for businesses that want to deliver analytical results in a visual way, enabling analysts the ability to spot patterns more easily and business users to absorb the insight at a glance and better understand what questions to ask of the data. But does it make more sense to train everybody to handle the visualization mandate or bring on visualization expertise? Our experts are divided on the question. The Speakers: Hyoun Park, Principal Analyst, Nucleus Research; Jonathan Schwabish, US Economist & Data Visualizer
The hospitality industry gathers massive amounts of customer data, and mining that data effectively can yield tremendous results in terms of improved CRM, better-targeted marketing spend, and more efficient back-end processes. Roger Ares, vice president of analytics at Hyatt Corp., discusses the ways he and his staff use big data.
Charged with keeping track of travel assets, including employees, iJET International relies on data management best-practices and advanced analytics to keep its clients in the know on current and potential world events affecting travel, Rich Murnane, Director of Enterprise Data Operations & Data Architect, told All Analytics in an interview from the 2014 SAS Global Forum Executive Conference.
Jason Dorsey, chief strategy officer for the Center for Generational Kinetics and keynote speaker at last month's SAS Global Forum 2014, describes how Gen Y professionals are enhancing the makeup of multigenerational analytics organizations.
From analytics talent development to the power of visual analytics, All Analytics found a variety of common themes circulating throughout the exhibition floor and session discussions at the 2014 SAS Global Forum and SAS Global Forum Executive Conference events held last month in Washington, DC.
Talking with All Analytics live from the 2014 SAS Global Forum Executive Conference, Eric Helmer, senior manager of campaign design and execution for T-Mobile, discussed the importance of customer data -- starting internally -- in devising the mobile operator's marketing plans.
The big-data analytics market can be a confusing place. Among the vendors vying for your dollars are traditional database management providers, Hadoop startup services, and IT giants. In this video, All Analytics editors Beth Schultz and Michael Steinhart sit down in a Google+ Hangout on Air with Doug Henschen, executive editor of InformationWeek. Henschen discusses use cases for big-data analytics, purchase considerations, and his recent roundup of the top 16 big-data analytics platforms.
At the National Retail Federation BIG Show last month, All Analytics executive editor Michael Steinhart noted a host of solutions for tracking and analyzing customer activity in retail stores. From Bluetooth beacons to RFID tags to NFC connections to video analytics, retailers must find the right combination of tools to help optimize the shopper experience, streamline operations, and boost revenues.
The days when historical shipment trends and gut feelings were enough to forecast retail demand accurately are long over. SAS chief industry consultant Charles Chase outlines the benefits of pulling real-time sales information from point-of-sale and product scanner systems, then flowing that data into dynamic forecasting tools from SAS.
With today's advanced visual analytics tools, you can stream data into memory for real-time processing, provide users the ability to explore and manipulate the data, and bring your data to life for the business.
Dynamic data visualizations let analysts and business users interact with the data, changing variables or drilling down into data points, and see results in a flash. Advance your use of data visualization with tools that support features like auto-charting, explanatory pop-ups, and mobile sharing.
No doubt your enterprise is amassing loads of data for fact-based decision-making. Hand in hand with all that data comes big computational requirements. Can traditional IT infrastructure handle the increasing number and complexity of your analytical work? Probably not, which is why you need a backend rethink. Big data calls for a high-performance analytics infrastructure, as Fern Halper, a partner at the IT consulting and research firm, Hurwitz & Associates, discusses here.
Redbox's bright-red DVD kiosks are all but ubiquitous these days, located in more than 28,000 spots across the country. Jayson Tipp, Redbox VP of Analytics and CRM, provides an insider's look at how the company has accomplished its phenomenal nine-year growth.
InterContinental Hotels Group (IHG), a seven-brand global hotelier, has woven analytics into the fabric of its operations. David Schmitt, director of performance strategy and planning, shares IHG's analytics story and his lessons learned.