Posts Tagged With ‘Google’

Global CISO Forum Announced in Wake of LinkedIn Breach

EC-Council is launching the Global CISO Forum to address the increasing demands faced by top-level information security executives. The IS landscape has never been so fraught with attacks as evidenced by the recent LinkedIn password fiasco or by Google sending warnings of state-sponsored attacks to gmail account holders. The Forum, which will take place in conjunction with EC-Council’s premier IS conference, Hacker Halted, will focus on bringing together CISOs from around the world to discuss how the constantly changing security challenges affect the day-to-day lives of CISOs from the largest and most prestigious organizations. A few of the topics to be discussed will include integrating wargames into security strategies, recruiting, training, and managing superior security teams; data loss prevention; as well as internally branding and integrating a security program while aligning it with business objectives.

The diversity of topics that will be covered hint at the breadth of issues with which an average CISO must contend in order to succeed at keeping their organizations’ data safe. “The cybersecurity war is becoming more complicated by the day.” says Jay Bavisi, President of EC-Council. Mr. Bavisi went on to say, “EC-Council’s Global CISO Forum is an event that aims to bring together the world’s best and brightest CISOs to unite against the hackers and share information.”

One reason for continued breaches, according to the recent Wisegate report, could be the changing role CISOs are playing within their organizations. The report documents how CISOs are now more than ever being charged with an ever-expanding suite of responsibilities ranging from managing the conflicts that arise from the differing goals of IS and business development, to developing privacy policies and disaster recovery plans. The Global CISO Forum aims to address these challenges, partly through formal panel-based discussions, but also by bringing together the top minds in the CISO world and encouraging an atmosphere of best practice sharing.

One aspect of the fight for information security that’s long been observed in the industry is the tendency for “the bad guys” to do a better job of information sharing than the guardians of the world’s information. According to Dave Cullinane, CISO at eBay, “Continuous process improvement is happening on the dark side. Our adversary is sharing information quite effectively. We are not. We must begin immediately to do so – and do it far more effectively than ever before. We need to shift the balance of power back to the Good Guys.”

For more information and inclusion in the Forum, interested CISOs can apply to attend here:

Read the full story at

To read more please click HERE

CISOs To Huddle In Wake Of LinkedIn Breach, Gmail Warnings

The EC-Council invites security chiefs to get together before Halloween and decide how to bedevil their adversaries.

The EC-Council, the body behind the Certified Ethical Hacker certification, will convene a Global CISO Forum in Miami on Oct. 29 and 30, open only to a limited number of senior information security executives, to discuss a security landscape that is increasing in complexity and alarming Internet users. Apparently, when attackers start ripping off and decrypting large caches of LinkedIn’s hash-encrypted passwords and state-sponsored attacks are a big enough threat to Gmail users that Google has to issue warnings, it’s time for the world’s CISOs to huddle.

The summit, scheduled in conjunction with the EC-Council’s IS conference, Hacker Halted, will gather CISOs from the world’s “largest and most prestigious” enterprises to talk about how these types of extreme events affect their companies and what to do about it.

But what can a forum like this do to prevent data breaches? For one thing, it provides a venue for the exchange of ideas and information. For a long time, attackers have been well-organized and shared information freely. “But due to proprietary, governmental and other borders, we guardians of information do not share information as well as they do,” says Amber Williams, manager of strategic initiatives at the EC-Council. “This forum is designed to promote exchange of ideas and discussion, with six to seven experts per panel topic who will elicit a lot of responses from the audience as they go along.”

That’s all well and good, but, according to Danny Lieberman, CTO of Software Associates, most CISOs and infosec professionals already know what needs to be done for appropriate security countermeasures. For example, encryption is a cornerstone of securing data at rest, and our latest InformationWeek Strategic Security Survey recommendation list includes better vetting of service providers.

The problem is getting the CEO to agree.

While the EC-Council’s Hacker Halted events see increasing attendance year on year, says Williams, the council is capping attendance for the Global CISO Forum at 200. The goal is to make high-level executives feel free to talk about not just best practices but the struggles they have had without fear of hurting their brands, she says.

You know the EC-Council is getting serious when it talks about “integrating war games into security strategies.” Other topics of discussion planned for the summit include recruiting, training, and managing superior security teams; data loss prevention; and internally branding and integrating a security program while aligning it with business objectives. In fact, the EC-Council says one reason for continued breaches is the conflicts that arise from the differing goals of security and business development teams. The forum intends to address this issue and others not only through panels but also by encouraging an atmosphere of best-practice sharing.

It’s great that the EC-Council and CISOs are on fire about this. But it’s also clear that without approval from the CEO, anything with a price tag that doesn’t have demonstrated business value will go nowhere. That is why CISOs should pay special attention to the part about aligning with business objectives.

What CISOs should really be asking at this forum, says Lieberman, is how their peers develop a real business case to present to the CEO. How do I put together a threat model and evaluate the risk? How do I get the CFO on board before I go to the CEO?

Lieberman illustrates a sample exchange, where the CISO is prepared to say to the CEO, “There is X percent chance someone will steal our company’s intellectual property. I have put together a team to evaluate the risk, and that is its finding. It will cost $20 million if this IP theft occurs. I need a couple more employees and $1 million to buy hardware and software to protect that $20 million worth of IP.”

Better yet, have the CFO on the team that helped put together this analysis, something the EC-Council plans to address. “Because we are inviting mostly C-levels, they will report to a board or another C-level executive,” says Williams. “Part of what we want to share is how to brand a security program internally and sell it to the board, C-level executives, and the whole company. And in the case of governments, sell it to the many layers of government workers.”

Another concern for many security chiefs, says Alan Shimel, managing partner at The CISO Group, is the changing nature of the threat. Many CISOs at work today came into that role during a time when financial fraud and cybercrime were the motives for attacks, says Shimel. “Now we have hacktivists and people who are financially motivated, but instead of looking for personally identifiable information, they’re looking for intellectual property,” he says. “Due to these different motives, hackers use different attack vectors.”

Announced speakers for the event include Eddie Schwartz, CISO for RSA; Joe Albaugh, CISO at the Federal Aviation Administration; Ron Baklarz, CISO at Amtrak; and Richard T. Rushing, CISO for Motorola Mobility.

To read more please click HERE

Mobile Security at TakeDownCon: Hackers Handing Out a Healthy Dose of Paranoia”

Smartphones are mini-computers packed with financial and personal info, but even though folks can use their mobile devices for everything from paying bills to GPS, it’s a bit confusing when wondering why folks don’t consider mobile security. To ignore the need for mobile security is a bit like choosing to run a computer without any regard to security precautions. Not wise at all. Even without any malicious intent by app developers, many are not concerned about security; their apps may ask for overreaching access permissions.

Mobile and wireless security news is pouring out of TakeDownCon in Las Vegas. During the keynote presentation, Moxie Marlinspike said “mobile malware detection should be done by the app stores” and “Google has done the absolute bare minimum to secure the Android platform.” Marlinspike tweeted, “Half way through my talk at TakeDownCon this morning, I realized it included some minor Android 0day we hadn’t reported.”  Read more…