There's No Holiday From Security Threats

CORE Security credits its unique perspective on data security to something many companies wouldn't even admit. The company, a provider of predictive security intelligence solutions, concedes it "has a number of hackers on staff," presumably of the white-hat variety.

Last week, it issued some tips from those hackers on ways to keep social networks like Facebook "hack free" during the busy holiday week. The advice:

  • Before you enter your Facebook password, confirm the URL is Hackers will try and trick you by displaying fake login pages, but faking the URL is much harder to do.
  • Always make sure you're using an SSL/HTTPS connection anytime you enter your password. Remember that even after you log in to Facebook, an attacker could still try to steal your cookies and pretend to be you.
  • Donít click on any links in emails that claim to be from Facebook. Instead, open Facebook manually and use the notification feature to see the friend request or message. Faking a friend request or notification is very easy to do, and an attacker will replace the links in the email with links taking you to fake log-in pages to steal your credentials.
  • Use a unique password for Facebook. If you use the same one you use for your email or banking, you'll sustain far more damage if your account is hacked.

While those tips may seem obvious to data professionals, they underscore something CORE Security found in a survey it released earlier this month: Basically, far too few people, whether they're holiday travelers or CEOs, have a clue about data threats or potential defenses.

The survey found there's a big difference in the ways CEOs and chief information security officers (CISO) view threats to IT infrastructure security -- an issue that by some estimates costs organizations more than $30 billion annually. It found a clear lack of communication between the offices of the CEO and CISO. In fact, more than 36 percent of CEOs said the CISO never reports to them on the state of IT infrastructure security. What's worse, the CEOs donít seem to care.

"The CEO is obviously further removed from the specifics of the threats and defenses that have been established to thwart them than the CISO. However, the one data point I am having a difficult time comprehending is the apparent lack of interest in security from the top executive," noted Mark Hatton, president and CEO of CORE Security.

Only 27 percent of the CEOs surveyed reported receiving security updates "on a somewhat regular basis."

CEOs and CISOs also have different views on the sources of threats. CISOs worry about the workforce and "a lack of employee education and diligence," while CEOs fear external phishing attacks. But consider this: More than 60 percent of CISOs are very concerned that their IT systems could experience a breach -- but only 15 percent of CEOs are worried about the same thing.

The survey, conducted in April for CORE Security by Research Now, is based on responses from 100 CEOs and 100 CISOs/C-level security leads. You can read more about it here. And tomorrow, we'll talk to CORE Security's Milan Shah, senior vice president of products and engineering, who drives the company's product management and development functions.

Noreen Seebacher,

Noreen Seebacher, the Community Editor of Investor Uprising, has been a business journalist for more than 20 years. A New York City based writer and editor, she has worked for numerous print and online publications. Her work has appeared in The New York Times, the New York Post, New York’s Daily News, The Detroit News, and the Pittsburgh Press. She co-edited five newsletters for Real Estate Media’s and served as the site's technology editor.

She also championed the commercial real estate beat at The Journal News, a Gannett publication in suburban New York City, and co-founded a Website focused on personal finance. Through her own company, Stasa Media, Noreen has produced reports, whitepapers, and internal publications for a number of Fortune 500 clients. When she's not writing, editing, or Web surfing, she relaxes in an 1875 Victorian with her husband and their five kids, four formerly homeless cats, and a dog.

Big-Data Draws Attention at Interop New York

Even at a trade fair better known for seminars on information technology, big-data was too significant to ignore.

Time to Tame the Meta-Monster

All Analytics readers have serious issues with the data hidden in digital photos.

Re: Fake links
  • 7/8/2012 9:33:12 PM


Daniel writes

We have to take atmost caution about the genuinty of GUI before inputting the credentials. Now a day's lots of spam mails are flooding to inbox asking for login to social media networks for different offer and other things. It seems that in most cases, the links are redirecting to fake login pages, similar to phishing. So I think it's always better to have a look for the IP address, before inputting any details.


This seems an appropriate point to post a little warning (which many of you may have already seen) about the DNS Changer malware issue, which has involved infecting PCs worldwide to redirect server link requests to "counterfeit" sites. 

The Apocalypse arrives tomorrow, so be forewarned that you should check to ensure that either you're not infected, or you've used the proper disinfectant.  It's kinda complicated, involving the FBI usurping and appropriating the malicious servers and maintaining re-routing for the convenience of victims, but the FBI is gonna shut down the hijacked servers  (are you still following me on this?), but anyway, don't worry about the details...

The important thing is, there's an excellent article in the LA Times which provides several alternatives for checking out your system:

Here's how to check your computer for the DNS Changer Malware,0,2973272.story

Just for convenience, both the ABC and NBC news tonight gave the following website as a good way to check and, if necessary, remedy your own situation:

It's easy to remember, in case you want to tell somebody (my mnemonic is "DC Water Gas, but whatever...)

It worked for me...


Data Protection
  • 7/8/2012 8:02:47 PM

It may cost an organization millions to protect all their data. A practical way to look at the situation is to focus on protecting the most critical data first. Management should be educated and know where there most critical data is as well be able to maneuver the right security measures that are to be implemented, testing systems


Re: Fake links
  • 7/4/2012 12:29:49 PM

Another avenue through which facebook logins could pose a security threat is the third party logins where you can enter a site using your facebook login. This means if you log into a dubious site using your facebook password it could get tapped from there. Potentially a risky feature ...on most sites i do not know, i rather go the long route and create an account.

On the notification emails, it is sometimes tempting since they could be a shortcut to seeing what's on FB without logging in, but i guess it worth the trouble to log in for you own safety.

The gap
  • 7/4/2012 9:56:16 AM

I feel that organogram in many organizations is such that CISO isnt either powerful enough or lacks coordination with the CEO due to the stated structure. May be the reason for that is that the CISO's role is a specific one and CEO feels that the role doesnt have widespread implications in the organization hence there is no need for a direct reporting line. I have seen CIOs are relatively in a better position to communicate with CEO compared to CISO. 

However, when security breaches causing large-scale disasters occur, CISOs are deemed to be involved with the organizational leadership so that consequences can be avoided. 

Re: What a disconnect!
  • 7/3/2012 10:08:40 PM

@ Noreen, I think hiring hackers is a two edge sword.  I think of those individuals in Russia who will illegally hack into something, then freely advertise their services.  I know corporations will hire former criminials to hack them, but I often wonder, how do they know that hacker isn't doing something behind the scene? On the other hand, you need those talents to test a system. 

On another note, the thing that people need to be aware is that if their is only a 1% chance of something happening, that is actually a big number.  And that 1% chance isn't someone else, but it's you. 

Re: What a disconnect!
  • 7/3/2012 7:29:17 AM

Unfortunately, security isn't one of those things that CEOs want to talk about.  Their concern is placed on availability, usability and project status.  Security is usually a small part of those bigger containers.  That doesn't mean that the issues aren't being addressed it just means that the focus typically isn't that narrow.

Now as far as using white hats to counter black hats, I think it's important to follow what the white hats are doing and to understand how the projects they are working on might impact your company, I don't think it's necessary or wise to actively employ a white hat.  The legal issues of reverse engineering someone's software package for example isn't an area too many companies want to get involved in.

Fake links
  • 7/3/2012 4:47:27 AM
1 saves

Noreen, you are right.  We have to take atmost caution about the genuinty of GUI before inputting the credentials. Now a day's lots of spam mails are flooding to inbox asking for login to social media networks for different offer and other things. It seems that in most cases, the links are redirecting to fake login pages, similar to phishing. So I think it's always better to have a look for the IP address, before inputting any details.

Re: What a disconnect!
  • 7/2/2012 10:54:39 PM

This is a growing trend in IT defense, isn't it? I've been reading about such defenses on other blogs. I think using Honeypots and other mechanisms might be better suited to gaining predictive insight. Counterstrikes are probably not such a good idea considering the potential for collateral damage on the system you're trying to defend.

Re: What a disconnect!
  • 7/2/2012 1:52:23 PM

Interesting disconnet between the to different "C" people. Perhaps the disparity can be explained that the CISO focuses on the company's IT and knows the nuts and bolts behind the network and risk threats. The CEO on the other hand has multiple worries to dwell on, i.e., revenue and the bottom line.

Of course, if the company's system is hacked and piles of customers' passwords are stolen that can put a damper on the bottom line results. In assessing the practice to employ white-hat hackers to combat the bad guys, it falls into the category of, "it takes one to know one."

Re: What a disconnect!
  • 7/2/2012 9:33:33 AM

Let's ask the community to weigh in. How do you define the words "hacker" and "hacking"? Are they by definition "bad"?

Page 1 / 2   >   >>