bug picture

So what bugs really bite at CISOs?

  1. Malware bugs
  2. Those Hacker buggers
  3. Their staff
  4. Or lack of staff
  5. State on state bugs

Actually, what really gets their goat is No.2, the staff who continually mess everything up for them, and then No. 3, the lack of trained, skilled staff who know how to stop the stupid people screwing up their systems.

How do I know this? Because once a year Eskenzi PR organises the IT security analyst & CISO forum where we get a room full of very outspoken CISOs who really don’t hold back when it comes to sharing their thoughts, bug-bears and irritations with their peers.  A few select vendors are invited to hear from the community who buy their wares and we also fly in a dozen of the world’s top analysts who learn from these heated and honest exchanges.

Looking in from where I sit, I’d have thought they would be most worried about all the external threats tirelessly trying to get in their networks from every angle.  However, these breaches and bugs are not what get these guys riled up; that’s par the course – something they expect and can almost prepare for.  What they all share is a real frustration in that they can find the technology to prevent the breaches and bugs, but their users turn it all on its head with their stupidity – and it’s a problem that doesn’t seem to want to go away.

One comment I especially liked was “you can’t take the IdioT out of the user” – it’s what they do with the data that’s the biggest problem!  Another observation came from an impressive female CISO who said that 100% of computer crime involves people.  Obvious, but she’s right and it makes you think!

Okay – here’s the lesson: we must learn to respect the data we use on a daily basis. That means wherever it is and whenever we’re using it, we need to consider whether it is valuable and, if it falls into the wrong hands, what harm could it do to ourselves, the customer and of course the company?

However, one eminent venture capitalist who attended our event cited a recent Economist article that stated that stock prices are often unaffected by breaches, which starts to make me really confused – what’s it all about if you can suffer a major breach and then it doesn’t really affect the company –  why bother?  Maybe that’s why CISOs are so relaxed about external threats!

But it does cost money to sort out the mess that users make when they infect a system by opening an infected email or uploading infected data from a contaminated USB.

Apart from being hugely frustrated by their internal staff, which was definitely shared by all concerned, it seems that the second really big pain point is the lack of skilled people in IT security.  There just isn’t the quality or quantity and, when you do find someone, they just don’t know how to communicate to get their message across.  There was a common thread in the discussion, where they felt that when they did find the right people with the right skills they then couldn’t fit in with the culture of the company.  The big question is how do you turn geeks into people’s people in order to get the funds for IT security from the board?  One very smart CISO, (although saying that all the CISOs that attend our event are the smart ones that take a real effort in collaborating and pushing the boundaries) gets a digital agency to help with his messaging and visuals so that when he has that very small window of opportunity to talk to the board, they quickly get it!

They all believe that, in order to get things done in IT security, you’ve got to become a good communicator – which means investing in training to communicate well so you can be compelling and convincing.  You need to talk to the board in the language they understand and that goes for the users themselves.

Another smart suggestion to get skilled people to push the IT security message was from a CISO who had employed the CEO’s PA to come and work for him, as she knew exactly the culture of the company and how to get around everyone to get them to listen. She knew politically who to push and who to ask to get things done.  So employing internally and drawing talent from other parts of the company was definitely a method that had worked for this particular CISO.

Everyone thought that a framework of the right questions that the board should ask the CISOs was a good way to go, and badly needed.

I suppose the conclusion to the day was that no matter what happens out there, the CISO’s biggest concern is to keep their own houses in order; and that means training their staff to respect the data they deal with and getting them the right employees who know how to communicate to help them to do this.

Yvonne Eskenzi Yvonne@eskenzipr.com

ebay

 

We’re at a time where Cybersecurity is internationally one of the most important factors for individuals as well as companies alike. Yet data breaches are happening with a higher frequency and making headline news at an alarming pace; this makes our job incredibly exciting and allows us to provide media coverage for our clients at an exponential rate.

Recently, eBay – one of the largest online retailers worldwide – was the victim of a large scale data breach that came to light at the end of last week, revealing the credentials of around 233m users had been accessed. Although no financial information had been obtained by the hackers, information such as encrypted passwords, customer names, dates of birth, and contact details had been affected.
Our coverage highlights from the news included:

-          The Telegraph (AppRiver, Voltage)

-          The Guardian (AppRiver)

-          Sky News (ESET, Tripwire)

-          BBC News (ESET)

-          ITV News (ESETtwice!)

-          The Independent (Voltage)

-          The Mirror (IT Security Guru)

-          International Business Times (Tripwire)

-          Yahoo Finance (Bromium)

-          SC Magazine (ESET, AppRiver)

-          IT Security Guru (ESET, Tripwire)

-          V3 (Tripwire, Sestus, Voltage)

-          Tech Week Europe (Voltage, Tripwire)

-          CIR (AppRiver, Sestus)

-          Techworld (Sestus)

-          Nulzsec (ESET)

-          Information Security Buzz (ESET)

-          Security FAQs (ESET)

We’re thrilled that our clients are so cooperative and available for media opportunities such as these that move so rapidly. This has been a brilliant week and one that we’re happy to boast just a little about!

 

yvonne blo

 

As I write this blog I can’t quite believe that for every week in the past 8 weeks Eskenzi has won a new client. However, as my mother just told me “I hope you haven’t mentioned this to anyone as you’ll sound ever so boastful!”  Now isn’t that so typically English and why can’t I shout from the roof tops about this achievement , it’s taken almost 20 years to get here and we are in PR after all, so who else is going to blow our trumpet if we don’t do it for ourselves!

It’s a weird old world running a PR business and I suppose for Neil and myself this sudden growth comes down to a change in attitude and circumstance. After 17 years of happily running a small boutique agency from our home, with 8 people trekking through our house every day it was our kids who finally suggested that it was time to move out and “leave home”.  Buying our huge warehouse in Barnet and renovating it before moving in exactly this same week last year I suppose was the turning point for our growth.  It’s given us 2,500sq ft of light, flexible creative space which we’ve been able to fill with the most wonderful people – now our staff can come and go like they never could when we worked from home plus we can employ interns, apprentices and really top notch people who can cut the mustard as we have the space to accommodate them.

Leaving the Infosecurity account was also one of the best things we’ve ever done after 17 long years of managing the PR – gosh that’s been emancipating.  It meant for the first time this year Infosec was a joy – without the burden of trying to get 300 press into the press office and trying to appease 350 exhibitors, not to mention Reed themselves.  Instead we opted to do our own PR around the show including organising 145 press and analyst interviews for our clients, arrange a best practices workshop for the heads of marketing for all our clients, host a speed dating press lunch for 25 press and organise an Eskenzi party for 100 people including analysts, press, CISOs, bloggers and CEOs on the first night! Oh and I almost forgot the IT security guru headed by the wonderful Dan Raywood, also meant taking numerous videos, blogs, write copy and sponsor B-sides all during Infosecurity too!

Reflecting on the last year it’s been the best ever and I really can’t thank the most wonderful team we’ve ever had for making it so. That success is also most definitely down to the type of clients that we have on board all of which are dynamic, fun, innovative and interesting.  PR is very much a two way process so we choose our clients carefully as much as it takes them to choose us – so the 8 most recent clients to Eskenzi we welcome you on board and very much look forward to working with you and building your brands not only in the UK but for many in Germany, France and even in the US – welcome Alert Logic, Bromium, ESET, Pirean, Proofpoint, RedSeal, Sestus, Silent Circle.  So enough trumpet blowing – the reality is it’s time to get down to some real work!

sorry, I don’t speak ….

 

Infosecurity is just a few days away and, as is traditional, at Eskenzi we’ve been ‘persuading’ journalists to meet with our IT experts. With that in mind, we thought it a good idea to draw up the rules of engagement to make sure you leave the right impression.

 

Here are our ‘top ten’ tips when getting ready to brief a journalist:

 

Rule 1: Decide what YOU want from the press briefing

There will be those that think briefing the press is purely about getting your words printed. While column inches are important, not every briefing will – nor should it, lead to immediate coverage. Infosecurity, and shows like it, are the perfect environment to meet with journalists and establish your position as a thought leader – so it that’s what you want from the briefing, make sure that’s what the journalist takes away from the discussion.

 

Rule 2: Read the briefing pack

If you’re meeting a journalist, and your agency has done its job well, you should have a lovely thick briefing document full of critical clues about the personalities you will meet. Take the time to digest this information and plan what you will tell the people you’re meeting. Knowing a bit about the journalist, and the readership they’re writing for, can save a lot of embarrassment when you’re sitting in front of them.

 

Rule 3: Don’t speak in tongues

While you might know what an AV is, how DDoS attacks work, what makes a succinct ACL, or even what IDS can tell you – the person across the table may not. Establish right at the start the level of understanding the journalist possesses and then use the appropriate language.

 

While on this point – avoid ‘buzzwords’. Everyone claims to have revolutionised something and levelled the playing field. Unless you’re planning a game of ‘cliché bingo’, let’s not talk about game changers.

 

Rule 4: Tailor your pitch

Remember to consider the audience the journalist is writing for and tell him things that will interest his readers. There’s no point telling The Telegraph why CISOs need to take a layered approach to enterprise security. Similarly, The Register isn’t going to thank you for filling him in on the features of an app that will track best before dates of food in a fridge and simplify the working person’s life.

 

Rule 5: Prepare your points

This leads me to the next point – decide what the key take-aways from each briefing are and make sure you get these across. Typically exhibitions are busy for all concerned, with each briefing only likely to last 30 minutes. Be realistic about what you can adequately cover in this timeframe. For example, rather than try and tell the journalist about 60 different threat variants in detail, explore ‘themes’ and determine which are of interest, with a view to arranging follow up interviews after the show.

 

Before we move on – and especially if you have any first briefings with a particular journalist, be prepared to open with a bit about your company and what it does. If you’ve never quite mastered your ‘elevator pitch’, now is the time. A 20 minute introduction isn’t going to leave a lot of time for anything else.

 

Rule 6: Ask what the journalist wants/needs from the briefing

This isn’t a one sided relationship as you both need to get something from the discussion. The journalist obviously has heard something about you that’s piqued their interest, so ask what it is and then make sure you cover it. It’s also good to end, or even start, the conversation by asking the journalist what stories they’re working on to see if any fit your area of expertise.

 

Rule 7: Don’t say anything you’re not prepared to read

While you can say something is ‘off the record’, you’re really leaving it to trust by divulging juicy gossip. And though I’d never say it to their face, there’s more than one journalist I wouldn’t trust alone with my grandma. If you don’t want to tell a journalist something, then don’t. If they try to draw you further on a subject that you’re uncomfortable with, politely decline. There’s no law that says you have to answer their questions.

 

Similarly, and even though it’s obvious I’m still going to say it, don’t say anything that could be considered defamatory about another person or organisation – unless you can 100% prove the statement. After all, no-one want’s an expensive lawsuit.

 

Rule 8: If you don’t know about it, then don’t talk about it

If you’re asked a question and you either don’t understand, or it’s a subject that you have little to no experience of, then say so. Like in every day life, there’s more respect for someone’s honesty about their limitations than obvious blustering and the horrendous smell of BS.

 

Rule 9: Don’t Rant

There are a few journalists who court controversy and use an aggressive approach – don’t lose your cool. If it’s going really badly, end the conversation and walk away making sure you take your dignity with you.

 

While on this subject, every PR person I know has at least one experience of a hijacked briefing that’s been used as an opportunity to tell a journalist ‘what they think of them’. I strongly advise anyone and everyone against this approach. Not only can it ruin the agency’s relationship with the journalist, which they won’t thank you for, but it’s unlikely to be a successful tactic to building a strong working partnership in the future! If you don’t like them – don’t brief them.

 

Rule 10: Relax and have fun

Life’s too short – so enjoy the conversations but don’t get too stressed if it doesn’t quite go to plan. Tomorrow’s another day, next year’s another show, and guaranteed at some point in the future there’ll be the chance for another briefing.

 

Happy Infosec everyone.

 

- Dulcie McLerie -

heartbleed

This week saw the internet, Twitterverse and my inbox explode as the full scale of the Heartbleed flaw come to light.

It was on Tuesday morning when I first became aware of the issue and since then I have heard a mixed bag of thoughts on it, and had the chance to read varying stories that offer a combination of FUD, decent analysis and advice on changing passwords prematurely.

In case you took the week off, managed to avoid all the news and have been completely unaware of the story (it can be done), then Heartbleed, also known as the OpenSSL flaw or to be completely technical, CVE-2014-0160, affects a website’s OpenSSL library and the major threat is that many websites have deployed this in their login process. This means that if the software is vulnerable, so is your login and therefore if an attacker has intercepted the flaw, they will have captured your login details.

According to a blog by Zscaler’s Michael Sutton: “Heartbleed impacts the most common implementation of SSL/TLS (OpenSSL), which is used on the majority of web servers. In fact, according to Netcraft, in April 2014, Apache and nginx, two of the most popular web servers that both include vulnerable Open SSL implementations, account for 66 per cent of active web servers.”

Advice began to flow in, advising users to change their passwords. However the stance we took on IT Security Guru was that this was premature if the flaw exists, as the new password users have securely crafted and remembered could be intercepted too.

As for who is affected, the company names roll off like a who’s who in technology: Cisco, Juniper, BlackBerry, Apple, Google and Facebook. There is a full list at mashable.

Does it seem like a big deal? Depends on who you listen to. Security expert Bruce Schneier called it a “catastrophic bug” and “on the scale of 1 to 10, this is an 11”, TK Keanini, CTO of Lancope, said: “This is one of the most major vulnerabilities to happen this year and it will be with us for quite some time as everyone who is vulnerable will need to remediate”, while Edward Felten, a computer security expert at Princeton University, told the New York Times that “Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security.”

One of the areas that interested me was the impact upon open source software. Philip Lieberman, CEO of Lieberman Software called it “really serious and a big blow to the credibility of open source”, while Mark Brown, director of information security at EY, said: “This vulnerability is a major blow for security on the internet and for open source development.The idea behind open source is that issues like these are resolved by the developer community at an early stage. A bug like this should never have got this far and it fundamentally undermines trust in the system.”

The story has achieved huge amounts of press attention, not just from the technical press, but from the nationals around the world. Perhaps one of the most interesting was in the Sydney Morning Herald, who managed to speak to Robin Seggelmann, who was outed as the man whose coding mistake, left servers vulnerable.

He said the bug was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago, “so the error made its way from the development branch into the released version.”

So we know about how many are impacted, and there are reports that the flaw is being impacted, with national CERTs issuing advice on it, while rumours have also circulated that phishing messages regarding it have also been detected. Not really surprising while legitimate emails appear encouraging users to change their passwords.

Dr. Mike Lloyd, CTO of RedSeal, said that vulnerabilities “are nothing new” and while security teams everywhere are scrambling, “some scrambles are more significant than others”. He said: “All these questions are hard to answer when you’re already in crisis. What you need is automation – not just vulnerability scanning (which can find those unpatched machines), but also a pre-built map, and a way to automate and speed up the query for ‘Where are these machines suffering from Heartbleed, and what are they exposed to?’ Wise organisations plan for this – we know it’s going to happen again.”

Toyin Adelakun from Sestus advises users is to  if possible, not login to any online accounts if you are not sure if the service provider is still vulnerable. It doesn’t help to change passwords either, because if the service provider is still vulnerable, your credentials could still be leaked. (If you feel you have to login before receiving the all-clear, the only logical risk-containment strategy would be to change passwords frequently — perhaps after each use!)   GoDaddy and BitCoin are supposedly still in the process of patching. Facebook, DropBox, Gmail and Yahoo claim to have fixed the vulnerability. Apple, Amazon, Ebay, Hotmail and LinkedIn claim to have not had the vulnerability in the first place.

For the future, a blog by Trustwave said that as this has been present for two years, it’s likely that sophisticated attackers have identified the bug and widely exploited it. “Organisations will be hard pressed, if not unable, to glean whether their SSL certificate is compromised until an attacker is caught performing a man-in-the-middle attack,” said John Miller, security research manager at Trustwave. “Every server that is or was vulnerable to the Heartbleed attack is potentially compromised. As a result, certificate owners must act to protect their users and their reputations.”

So what can you do to protect yourself? I’d suggest looking at the great website built by

Codenomicon who discovered the flaw, reading the excellent analysis by Australian researcher Troy Hunt and changing your password, once you have figured out that the website has been fixed.

If you are managing servers, take the time to apply fixes and get yourself secure again. Of course if you really want to make a difference, why not make a donation to the OpenSSL foundation, and make sure things like this do not get repeated.

 

Dan Raywood is editor of The IT Security Guru

panel_heart

With information security making headline news more than ever before, we have seen an increase in quantity and quality of coverage for our clients. With over 1200 clippings this quarter (and counting) publications we have featured in include:

  • Reuters
  • The Guardian
  • The FT
  • BBC
  • The Daily Mail
  • The Observer
  • The Telegraph
  • The Register
  • SC Magazine

It’s safe to say it’s an exciting time to be in the industry – and we’re looking forward to what the next quarter brings!

IT Sec Analyst Forum Logo NEW

The seventh IT Security Analyst & CISO Forum will take place in London in June. The event is available to just 10 vendors and gives you a unique opportunity to brief most of the world’s top IT Security analysts on how you differ from your competitors, your product roadmap and to explain why you’re a leader in your space.

Thirteen analysts attend the event, but you get to choose which of these you’d like to brief.  The analyst meetings happen all on day one.

The second day is based around the CISO roundtable, which has grown in popularity amongst the CISO community, with many attending year after year and now bringing their CISO colleagues as they find it so fruitful.  During this day, you get to join in their roundtable discussion and you choose who you’d like to sit with at the roundtable lunch.

The event is limited to just 10 IT security vendors; however there are 2 places still available so if you would like to attend please give Yvonne a call on 0207 183 2832.

ITguru_logo

We are delighted to report that the IT Security Guru has gotten off to a flying start. With Dan Raywood at the helm, we have had a new Guru every day sharing their opinion and insight, plenty of videos and all the latest breaking news. Twitter followers are up by 335% and content is flooding in – but the growth doesn’t stop here! We have a couple of new features coming up on the site.

A to Z of the Infosecurity community

The IT Security Guru was built to be the site for our community – and what community doesn’t have an address book? We are putting together the A to Z of who’s who in the IT security community – the major players, who their competitors are and what products they have to offer. If you would like your company featured, please email editor@itsecurityguru.org for a submission form with all the details.

Product reviews

And finally, the site wouldn’t be complete without reviews, so we have teamed up with the UK’s top IT security reviewer Dave Mitchell to provide honest, impartial reviews on IT Security Guru. The package will include a 600-1000 word review with images/logo and a pdf version that you can use for marketing purposes. We will offer these initially for a low introductory rate, so please get in touch for more details.

Bhkpcp1IcAAbp1F

This month sees one of Eskenzi’s longest standing clients, Varonis Systems, succeed with the most successful IPO of the year in the big data arena.  So a huge congratulations to our dear friends at Varonis.

The unstructured data specialist’s shares soared after making its public trading debut, with investors snapping them up in their droves. The shares rocketed as much as 91% to $42.02 in midday trading, after its 4.8 million shares were originally priced at $22 a share.

A number of tech companies have boasted highly successful initial public offerings in recent months. Twitter Inc. shares surged 73% from their IPO price in the first day of trading, while cybersecurity firm FireEye Inc. climbed 80%.

According to data from Dealogic, Varonis’ high would place it fourth in the technology sector among one-day increases for U.S.-listed IPOs since the beginning of 2013.

Image

The Mail on Sunday this past weekend saw an anonymous whistleblower hand a journalist a memory stick with the personal data of 2,000 Barclays customers, saying information on a further 25,000 was also available.  

 

It has the security industry conflicted on  where the responsibility ultimately lies, with many citing that Barclays be liable and pay large fines.  However, others such as Dominique (DK) Karg, chief hacking officer for AlienVault commends Barclays for not burying its head in the sand and actually thanking the Mail on Sunday for bringing the leak to its attention. He said:  

 

“… it all comes down to organisations sharing this kind of intelligence openly so that others can learn from it. At this point, the damage to Barclays image is huge, but in this case, it is clearly the work of one or two people that had legitimate access to the data. What the authorities need to do is go for these guys and make an example of these malicious insiders.”

 

And I tend to agree.  All Barclays can do now is go back and launch a full investigation and take the appropriate steps after the fact.  I think the point is that people will always be the weakest link in an organisation’s security.  Without a doubt,  it is a slippery slope when we start losing the ability to make individuals accountable for their own actions – it’s all too easy to put blame squarely on an organisation. 

 

- Beth

Follow

Get every new post delivered to your Inbox.