Vulnerability Management: False Confidence, the Remediation Gap and Other Challenges

Organizations believe their vulnerability management programs are more mature than they really are, and the time it takes to remediate vulnerabilities remains an issue for many businesses, according to several reports.

A SANS whitepaper, What Are Their Vulnerabilities?: A SANS Survey on Continuous Monitoring, concluded that security practitioners are overconfident in their current state of continuous monitoring:

… survey results starkly illustrate that we are approaching a dangerous state in which we believe we have appropriately addressed problems, though we have, in fact, not adequately remediated them—therefore unknowingly leaving a window of opportunity open for attackers.

“Each of the questions taken on their own – there’s nothing really major that’s unsound. But looking at those questions together is very interesting,” said David Hoelzer, SANS Fellow Instructor, author of the paper, and founder and CISO of CyberDefense, the parent company of Enclave Forensics.

“More than half of these [organizations] are saying that they are mature or maturing. They say that, but then when we look at the coverage of assets … no one is even willing to say that they are covering 100% of their publicly exposed systems.”

Hoelzer, who was a guest on our vulnerability management podcast last October, said that gap in perception is a cause of concern.

“I would not define what we’re seeing in that report as anything like mature,” he said. “It seems as though our criteria or the bar we’re trying to reach is not high enough.”

Closing the Remediation Gap

One of the biggest challenges around vulnerability management is the time it takes organizations to remediate those vulnerabilities, or the remediation gap.

According to a 2015 Kenna Security report, The Remediation Gap: Why Companies Are Losing the Battle Against Non-targeted Attacks, even “conservative” estimates found that the window of opportunity for many exploits remains significant:

  • On average, it takes businesses 100-120 days to remediate vulnerabilities.
  • At 40-60 days, the probability of a vulnerability being exploited reaches over 90 percent – indicating that most successfully exploited vulnerabilities are likely to be exploited in the first 60 days.
  • The gap between being likely exploited and closing a vulnerability is around 60 days.

“The gap that we’re looking at is getting much bigger, and I think that is happening because attackers are getting really, really good at automated attacks,” said Kenna Security’s senior data scientist Michael Roytman, who was also featured on the podcast.

Old Vulnerabilities, New Problems

According to Roytman, enterprises often have a huge backlog of vulnerabilities. That “security debt” is one of the primary reasons for the remediation gap. In addition, it can be difficult to know which of those vulnerabilities are actually being exploited.

For example, attackers continue to exploit old vulnerabilities, as pointed out in the report:

  1. CVE-2010-3055 was exploited 121,000 times in 2014. It allows attackers to run arbitrary code in phpmyadmin via a POST request, and phpmyadmin runs millions of sites worldwide. It’s a CVSS 7.5, which means it’s bound to fly under the radar more often than not. But it shouldn’t.
  2. CVE-2002-0649 is an ancient worm that exploits SQL Server 2000 and Microsoft Desktop Engine 2000. Reading the Wikipedia article on the worm makes it seem like it’s a long forgotten problem, but we witnessed 156,000 successful exploitations in 2014. It’s not new, it’s not hip, it’s not current, so one talks about it – but it’s a significant threat.
  3. CVE-2000-1209 is also not to be forgotten, with 272,000 successful exploitations. It exploits Microsoft SQL Server 2000, SQL Server 7.0, and Data Engine (MSDE) 1.0, including third party packages that use these products such as Tumbleweed Secure Mail (MMS), Compaq Insight Manager, and Visio 2000.

The report concluded: “These vulnerabilities are not new – in fact, they’re extremely old – and yet they perfectly represent the kind of unremediated vulnerabilities that automated attacks attempt to find. They’re the windows that the criminals rattle around and try to pry open.”

“Huge Opportunity” for Threat Intelligence

Integrating threat intelligence into vulnerability management is recent development, Roytman said, as the data available now wasn’t available five or ten years ago. But threat intel can help provide the biggest bang for the buck in terms of deciding which of the potentially thousands of actions an organization should take first.

“What’s surprising to me is the lack of information about what is being exploited,” Roytman said. “Integrating those data sources, disseminating that knowledge, is something that can really shorten the remidation gap, and it was surprising to me to see how many enterprises don’t have that information integrated.”

He added: “We’re kind of at this crossroads where the data is flowing in, but maybe we’re not integrating it into our vulnerability managment practices, and that’s a huge opportunity.”

You can listen to our previous podcast on vulnerability management below for more information:

About the Podcast:
This special episode is all about the challenges and issues around vulnerability management. David Hoelzer – SANS Fellow Instructor, dean of faculty for the SANS Technology Institute, and founder and CISO of CyberDefense, the parent company of Enclave Forensics – discusses the recent SANS survey and whitepaper “What Are Their Vulnerabilities?: A SANS Survey on Continuous Monitoring.” Among the findings is that “we are approaching a dangerous state” where companies believe they are doing better than they are – leaving a window of opportunity for attackers.

Kenna Security’s senior data scientist Michael Roytman also joins the podcast to discuss their recent report, “The Remediation Gap: Why Companies Are Losing the Battle Against Non-targeted Attacks.” The report estimated that most companies take an average of 100-120 days to remediate vulnerabilities. We chat about the state of vulnerability management, the challenges facing organizations, and what businesses can do to improve on that front.

Podcast: Big Names Get Breached, Malware Evolves and Court Questions Data Sharing

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 71: Big Names Get Breached, Malware Evolves and Court Questions Data Sharing:

This week’s trending cybercrime events include breaches at the NBA’s Milwaukee Bucks and the furry site “Fur Affinity,” a two-year cyber-espionage campaign against Swiss military contractor Ruag, payment card skimmers found at Walmart, and DDoS-for-hire services found on the online marketplace Fiverr. Researchers discussed several new types of malware including a stealthy new malware dubbed “Furtim,” a new variant of Cerber ransomware, and changes to DMA Locker – which is being upgraded for a potential “massive” distribution. On the legal front, the transfer of data between the U.S. and the EU continues to be questioned in court, Wells Fargo was ordered to pay a $1.1 million fine related to employee data theft, another W-2-related breach lawsuit was filed, and various individuals were arrested and cybercriminal groups disrupted. Also, people continue to get in trouble by hacking road signs.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Anonymous Ops Trending, Where are the Other Hacktivists?

Not long ago, several hacktivist groups like the Syrian Electronic Army and Lizard Squad were making headlines on a weekly basis with new hacktivism campaigns and random attacks. While Anonymous has always been the primary source of hacktivism throughout the world, it is interesting to see how these other prominent hacktivist groups’ activity has essentially fallen off the map. Where have all the hacktivists gone?

Taking a look at SurfWatch Labs’ data, Anonymous has been (and will remain) the top trending hacktivist group in 2016, with other factions of Anonymous such as New World Hacking and Ghost Squad Hackers providing additional support to the many Anonymous campaigns currently in existence.

2016-05-23_hacktivistactors
Anonymous is by far the top trending hacktivist group in 2016. Several other Anonymous-affiliated groups also made the list. 

The members of the Anonymous collective have been busy in 2016. New campaigns are underway, but several operations that were created in previous years have seen the most activity to date.

2016-05-23_hacktivistops
Throughout each month so far in 2016 an Anonymous campaign has made headlines. 

Government Sector Targeted, Financials Sector Trending

The government sector has been targeted the most by hacktivism in 2016 by a large margin. The data breach of the Philippines Commission on Elections is by far the top trending hacktivism target.

2016-05-23_hacktivism
The Government sector has been targeted the most by hacktivism in 2016. The Philippines Commission on Elections is the top trending industry target. 

Two Anonymous-affiliated groups were behind the data breach of the Commission on Elections: Anonymous Philippines and Lulzsec Pilipinas. The breach affected 55 million Filipino voters and is considered one of the biggest government data breaches on record.

The Financials sector has also seen a lot of activity over the last month. This is largely due to #OpIcarus, a campaign created by members of Anonymous that is specifically targeting banks.

As the chart illustrates above, several banks are trending, with new banks targeted by #OpIcarus making headlines seemingly on a weekly basis. Between May 13 and 19, a total of 18 banks suffered DDoS attacks at the hands of Anonymous.

Where are the Other Hacktivist Groups?

Anonymous continues to make headlines while other prominent hacktivist groups remain stagnant. Groups like Lizard Squad, the Armada Collective, and the Syrian Electronic Army (SEA) appear to have almost completely ceased all operations. The CyberFacts collected by SurfWatch Labs backs this up, with 2015 being the last time any significant conversation took place among the three groups.

2016-05-23_hacktivistgroups
The chart above shows negative CyberFacts for SEA, Lizard Squad, and the Armada Collective over the past 18 months. 

Syrian Electronic Army
Once one of the most recognized hacktivist groups, the SEA has seemingly disappeared since the summer of 2015. Most current news surrounding the SEA involves legal and law enforcement content as members of the group are being hunted down for past hacking activities. The SEA has been involved with many cyber-attacks, including the the hijacking of the Associated Press Twitter account and the takeover of Forbes. The group was founded in 2011, with most of their activity occurring during 2013 and 2014.

Lizard Squad
Perhaps one of the most notorious groups linked with DDoS attacks, Lizard Squad made a name for themselves after launching multiple DDoS attacks against the Sony Playstation Network and Xbox Live. The group has engaged in a war with Sony Online Entertainment president John Smedley, leading to bizarre events such as calling in a fake bomb threat to an airline which Smedley was a passenger of and effectively grounding the flight. Lizard Squad has recently made headlines without any effort, as a group of unknown hackers were posing as the hacktivist group in an effort to extort money from U.K. businesses through the threat of a DDoS attack. As for actual current activity from Lizard Squad, Blizzard reported a DDoS attack from the group back in April 2016.  

Armada Collective
The Armada collective is the newest hacktivist group out of the three, and it is well-known for its DDoS extortion attacks against online retailers, a method of attack that was first made popular by another hacker group, DD4BC. The group was very active towards the end of 2015, attempting to extort several companies. Much like ransom demands, experts have overwhelmingly warned companies not to give into these attacks. The group went silent in late 2015, although other groups continue to use the group’s name for fake DDoS threats, which unfortunately lead to the group earning over $100,000 for their efforts.

While many people find the threats of hacktivism to be just a nuisance, the damage created from a single attack can have lasting consequences. DDoS attacks — the primary hacktivist weapon of choice — can impact a company through financial losses and damaged brand reputation due to the amount of time the company’s servers are down. In other attacks, sensitive data can be obtained and leaked on the Internet for other criminals to exploit. Hacktivism hasn’t been as prominent in 2016 compared to years past, but the threat posed from these groups remains the same, and companies need to remain diligent in protecting from these threats.

Top Dark Web Markets: AlphaBay and Stolen Credentials

Dark web markets are constantly changing. The last major shakeup to occur was the disappearance of the Nucleus Market, which has been offline for nearly a month and a half. Since then, the site’s users have flocked to other markets in search of an alternative.

Many of those users have transitioned to AlphaBay, the current king of dark web markets. AlphaBay was the most popular marketplace before Nucleus Market disappeared. Since then it has only grown more popular.

AlphaBay_May2016_2
A vendor selling hacked bank account logins on AlphaBay.

A similar surge happened in March 2015 after the administrators of the dark web marketplace Evolution shut down and stole users’ bitcoins in an “exit scam.” In the three days following Evolution’s disappearance, AlphaBay received 18,000 new registrations, said alpha02, a well-known carder and founder of the AlphaBay market. A few months later another major dark web market, Agora, announced it was shutting down due to security issues. Once again, AlphaBay membership surged. By October 2015 AlphaBay announced it had hit 200,000 users and become one of the most popular markets on the dark web.

That growth has continued. In early January there were approximately 12,500 fraud-related listings. Today there are close to 20,000.

How Does AlphaBay Work?

As we noted last month, there are a lot of misconceptions about the dark web, and it is not hard for the average person to find these websites and purchase illicit goods and services. However, the markets are also full of law enforcement, researchers conducting threat intelligence (like SurfWatch Labs), and scammers. As a result, those buying and selling items tend to be concerned about two things: anonymity and security.

  1. Anonymity when purchasing: The combination of tools such as Tor, which helps users anonymously access the markets, and the growth of virtual currencies, which helps users anonymously purchase illegal items, has helped dark web markets such as AlphaBay flourish.
  2. Security among thieves: AlphaBay offers multi-signature escrow to help protect buyers from getting scammed. Money is deposited into a wallet with three people having keys: the buyer, the seller and the market. Two of those keys are needed to approve payment. If the buyer is happy, he or she releases the key and the seller is paid. If there is a dispute, the moderator can approve payment and give the second key to the seller — or deny payment and give the key to the buyer.

In addition, in just the past few months AlphaBay has rolled out mandatory two-factor authentication for vendors as well as a detailed privacy policy — the first dark web market ever to do such a thing, it claims.

Many markets try to emulate the customer-friendly features seen on popular e-commerce sites such as Amazon or eBay. In the case of AlphaBay, there is both a “Vendor Level,” which is based on number of sales and amount sold, and a “Trust Level,” which is based on the level of activity within the community as well as feedback from users. In addition, buyers can view feedback in the forms of reviews and star ratings.

AlphaBayFeedback_edited
Seller ratings on AlphaBay.

The key takeaway for those unfamiliar with these cybercriminal markets is that it is not that different an experience from buying things via the normal web.

What’s for Sale on AlphaBay?

Being the most popular dark web market, AlphaBay offers nearly every type of item or service for sale. Drugs are the most common type of item — as is true of most markets. SurfWatch Labs doesn’t collect data on every listing, instead focusing mainly on cybercrime-related items. Of those, credentials trade is the top trending practice tag over the past 30 days.

2016-05-24_alphabay_practices
Although all types of items are for sale on AlphaBay, credentials trade is the top trending practice tag over the past month, according to SurfWatch Labs.

Credentials trade includes logins for various services and financial institutions. Those credentials can then be used for fraud, as a stepping stone for further attacks, or simply to use legitimate services such as Netflix or Uber for free. 

Specific items related to credential theft for sale the past few weeks include …

Credentials to access various credit card accounts or the information to answer associated security questions:

creditcardlogins.jpg

Credentials that can be bought in bulk such as this list of 10,000 German email addresses and passwords:

germanemail.jpg

Credentials for customer accounts at various restaurants and coffee shops, including some that have payment information connected to “auto-reload” the account whenever the balance gets low enough:

restaurants.jpg

Credentials for reward accounts from airlines and other retailers that can be redeemed for various goods and services:

rewardspoints.jpg

Credentials for hacked websites such as WordPress blogs:

wordpress.jpg

Full profiles — which include names, email, passwords, phone numbers, Social Security numbers, dates of birth and more — basically, everything needed to set up an account, apply for credit or perform other fraudulent actions:

fullz.jpg

And credentials for many, many more accounts.

Where do all of these stolen credentials come from? They come from data breaches, malware that captures keystrokes, phishing and, as we noted earlier this week, the problem of people continuing to reuse passwords across multiple sites, which allows automated tools to use those giant lists of previously stolen credentials to gain access to other sites.

Of course, AlphaBay offers a plethora of other items for sale unrelated to stolen credentials, and we’ll touch on some of those in the coming week’s as we examine the other dark web markets. Those top markets tend to change due to exit scams, security concerns or law enforcement actions, but for now AlphaBay remains the king of the underground.

Credential Theft and the Problem of Non-Breach ‘Breaches’

Earlier this month, news outlets across the country reported on the latest mammoth list of stolen credentials — 272 million in total.

“It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago,” Reuters reported.

Turns out, the total number of actual accounts affected is much, much less — a representative for Google put the total number of bogus Google accounts at 98% — however, the story does bring a crucial cybersecurity point back to the forefront: stolen credentials and the collateral damage they cause. Companies are continually finding themselves in the news for data breaches that aren’t really breaches at all.

For example, this year we’ve seen:

  • Spotify had a list of user credentials posted to Pastebin, leading to a spate of articles about the company “denying” a data breach. “Spotify has not been hacked and our user records are secure,” the company repeatedly told reporters and bloggers.
  • China’s online shopping site Tabao had hackers use a database of previously stolen usernames and passwords to try to access over 20 million active accounts. “Alibaba’s system was never breached,” a spokesperson noted.
  • Reddit recently had more than 100 subreddits defaced when a hacker went on a spree of taking over moderator accounts. The Register speculated that it was “possible the hacker is testing breached passwords against the accounts to pop weak or reused credentials.”

In nearly every case, along with the negative — and some may argue unfair — breach-related headlines, a spokesperson steps up to say the same thing: we weren’t breached and the theft is likely due to customers reusing credentials that were stolen elsewhere.

Verizon’s recent Data Breach Investigations Report highlighted the issue as well: 63% of confirmed data breaches involved weak, default or stolen passwords. The report authors noted, “The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works.”

As we repeatedly see, the reuse of stolen credentials puts many companies in the unfavorable position of having to deny a data breach happened — even as customer accounts are getting taken over.

Easy-to-Use Tools

Automated tools have made it easy for cybercriminals to take these massive lists of stolen credentials — such as the list of over 100 million LinkedIn credentials — and test those credentials against popular websites until they find cases of password reuse.

How often does that work? It varies depending on who you ask, but Shape Security recently wrote about its experience examining one of the popular tools used in these “credential stuffing” attacks.

“We have found that most combo lists have a 1% to 2% success rate, meaning that if an attacker purchases a list from a breach on site A (or a combination of site breaches) and then uses Sentry MBA (or another credential stuffing tool) with that list to attack site B, 1% to 2% of the usernames and passwords from site A will work on site B,” wrote Shape Security chief security scientist Xinran Wang.

One percent may not seem like much, but as Wang points out, if an attacker has a list of one million credentials, they may be able to hijack 10,000 accounts on any popular website using these readily available tools.

In some cases, this amounts to a massive number of fraudulent logins. According to Shape Security researchers, over a one week period last December, attackers made five million log-in attempts at the website of a Fortune 100 company using the Sentry MBA tool.

That’s why some of these recent legitimate breaches have been so widely criticized. The companies in question often are not taking into account the potential collateral damage.

Big Breaches and Collateral Damage

Last month security researcher Troy Hunt reported that over seven million user accounts for the Minecraft community “Lifeboat” were compromised. According to Motherboard, Lifeboat didn’t bother telling its users about the potential issue — and how it may affect other accounts with similar credentials.

“When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act,” said a Lifeboat representative, not clarifying to Motherboard when pressed why the company never informed its users. “We have not received any reports of anyone being damaged by this.”

But would they know if someone used those stolen credentials to log into someone’s email or social media or bank account?

Likewise, Brian Krebs recently criticized LinkedIn’s handling of its massive breach of user credentials. In 2012, LinkedIn discovered a data breach that it thought affected 6.5 million users. The company contacted those users to force a password reset. However, last week they discovered the breach actually impacted more than 117 accounts.

“Inexplicably, LinkedIn’s response to the most recent breach is to repeat the mistake it made with original breach, by once again forcing a password reset for only a subset of its users,” Krebs wrote.

“We did at the time what we thought was in the best interest of our member base as a whole, trying to balance security for those with passwords that were compromised while not disrupting the LinkedIn experience for those who didn’t appear impacted,” LinkedIn spokesman Hani Durzy said in an email to Krebs about the 2012 incident.

But what about the more than 100 million potentially compromised credentials that may have been used for years without users even being aware they may have been stolen?

Looking Forward

There will always be a subset of users that reuse credentials, and those users will always be at increased risk of their accounts being hijacked. Unfortunately for companies, their names are often associated with a data breach or a hack even if it is an event driven largely by a combination of other organizations’ breaches and bad password habits.

Implementing additional layers of security such as two-factor authentication can help protect those customers. Or organizations can follow the lead of proactive companies like Amazon, which recently reset some users passwords after finding a list of leaked credentials online.

“While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites,” Amazon wrote to impacted users. “Since we believe your email addresses and passwords were on the list, we have assigned a temporary password to your Amazon.com account out of an abundance of caution.”

Until organizations get more proactive or force users to implement more layers of security, with so many stolen credentials available to cybercriminals, expect organizations to continue to make negative headlines due to these “non-breach breaches.”

The Tribal CISO

Throughout my career I have been through more “Leadership” or “Managerial” training than I can remember, from the lead by example style when I was in the military to the corporate leadership (aka managerial) style that has more of a scientific approach. I have seen many styles come and go, and there are certainly no shortage of articles and trends that are published on a daily basis. Many times those of us who have been through the drill enough know what works and what doesn’t — in the words of Kenny Rogers when to hold them and when to fold them.

We tend to focus on the results we have achieved in the past with a given scenario, learning from our mistakes and ensuring we highlight successful efforts.  In my observations we tend to do the same thing when it comes to implementing various frameworks whether it’s ISO, NIST, CoBIT, FAIR, ITIL, CERT-RMM, Diamond Model or Octave. You name it there is certainly a framework for it. Some people pluck the goodness from multiple frameworks and create their own; others will kneel to the altar of the chosen framework and swear allegiance to it for all time.

Leadership and management styles or skills can be viewed in much the same manner as there is always an interesting conversation when you ask someone the difference between leadership versus management, leading versus directing, mentorship versus oversight. The most glaring difference, however, is that one styles “Leadership” as more of a social mechanism and “management” as more of tools for your toolbox.

James Altucher published an article on the 10 things he thinks you should know in order to become a great leader, and there is a section that particularly caught my eye. Specifically he states:

Below 30 people, an organization is a tribe. 70,000 years ago, if a tribe got bigger than 30 people there’s evidence it would split into two tribes. A tribe is like a family. With a family you learn personally who to trust and who not to trust. You learn to care for their individual problems. You know everything about the people in your tribe. At 30 people, a leader spends time with each person in the tribe and knows how to listen to their issues. From 30-150 people you might not know everyone. But you know OF everyone. You know you can trust Jill because Jack tells you can trust Jill and you trust Jack. After 150 people you can’t keep track of everyone. It’s impossible. But this is where humans split off from every other species.

We united with each other by telling stories. We told stories of nationalism, religion, sports, money, products, better, great, BEST! If two people believe in the same story they might be thousands of miles apart and total strangers but they still have a sense they can trust each other. A LEADER TELLS A VISIONARY STORY. We are delivering the best service because…. We are helping people in unique ways because…. We have the best designs because…. We treat people better because…. A good story, like any story ever told, starts with a problem, goes through the painful process of solving the problem, and has a solution that is better than anything ever seen before. First you listened to people, then you took care of people, but now you unite people under a vision they believe in and trust and bond with.

How does this relate to the CISO role or anything else for that matter?

In my humble opinion, this topic and where you fall in it will decide if you will build and/or operate a successful cybersecurity program. Over the years I have built and run multiple teams performing all kinds of functions and not just in the technology space, but also in the military, emergency response, heck, even running a kitchen staff when I was in high school, and — success or failure — it always felt “right.”

Here’s why. As Mr. Altucher defined so well, I have a tribal leadership style and as I think back in time as I write this I have set up my cybersecurity programs both past and present in the tribal manner, but never really defined it that way until now. In business terminology, in each instance upon walking through the door for a new organization I have always assessed the landscape of the cybersecurity products, services, programs and projects. Usually reorganizing employees and operations to be collaborative, efficient, and effective. However, in another view I was also organizing the cybersecurity program into multiple tribes.

These tribes sat together, supported one another, collaborated together, gave and received advice and supported each other’s decision. They received mentorship as well as the vision for the tribe on what mission success should look like.  I backup my tribes and they back me up, always seeking out facts and making sure everyone’s covered.

For those of you with military or police and fire types of background, you can certainly relate to what I am talking about. When you think about this concept and observe your own current corporate culture, are you tribal? Are the functional teams supporting one another, giving and receiving advice and collaborating freely? Are you backing your tribes up and are you backing them up?

If not here are some advisory tidbits I would recommend:

  1. View your leadership style through a social aspect. Treat your management style as tools for your tool box. Do not treat your tribes as tools.
  2. Do you differentiate between program and projects? Programs have outcomes and projects have outputs. I lead my tribes as a program and want a successful outcome. Therefore, my tribes don’t have milestones or deadlines; they have only mission success or not.
  3. Keep your tribes small and focused. I commonly use the term “high speed and low drag.” This supports organizational resilience. When you’re breached and need to pivot, this is the optimum way; empire building does not mean success.
  4. Do not build your tribes solely around a standard or framework. If you focus solely on industry standards or cybersecurity frameworks you will fail. Build your tribes based on outcomes and whatever means mission success in your organization. Do not try and build a tribe into columns, rows, and cells.
  5. Be willing to change. If you are in your workspace as you read this and as you survey the landscape around you it feels like a scene from the movie Office Space, you should reflect on that for a few minutes and maybe think about some ways to change it.
  6. Observe the below simple diagram:
    1. It is not a top down org chart; it is a tribal “system.”
    2. Each tribe would have its own products and services they would be responsible for as well as the mission goals and outcomes.
    3. From an operations standpoint you are leading an ecosystem with an environment that changes every day, hundreds of times a day. Define what “normal” looks like and observe and react when something “abnormal” occurs.

Tribal_CISO

Podcast: Hackers Get Hacked, SWIFT Attacks and a Ruling from the Supreme Court

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 70: Hackers Get Hacked, SWIFT Attacks and a Ruling from the Supreme Court:

The hacker forum Nulled.io was breached and the sensitive information of its members was made publicly available. SWIFT warned of more attacks against banks at the same time the Anonymous OpIcarus campaign hit more financial sector targets. LinkedIn discovered its 2012 breach was much bigger than previously thought. And a couple of researches upset OkCupid by publishing data on 70,000 of the dating site’s users. This week’s advisories included more developments in the cat-and-mouse game around the CryptXXX ransomware, an alert on an old SAP vulnerability, an Android banking Trojan and click-fraud botnet, and more PayPal phishing scams. This week also saw a highly anticipated Supreme court ruling on a privacy-related class action lawsuit, the continuation of financial institutions lawsuit against Home Depot, and a new lawsuit around a breach of W-2 information at aircraft maintenance company Haeco. A judge also ruled the FBI did not have disclose a vulnerability in the Firefox browser, and the U.S. saw its first conviction in the hack of newswires that generated $100 million in profit. Also, the LinkedIn breach revealed another round of terrible password habits.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.