Insights For Success

Strategy, Innovation, Leadership and Security

CISOs are stressed and I can prove it

GeneralEdward Kiledjian
face-1013520.jpg

Not a week goes by without some data breach, leak, hack, attack or other significant cybersecurity failures that spills all over blogs and even national media.

Five years ago, only avant-garde companies invested in cybersecurity; today, it has become a must. Companies realize the importance of a solid cybersecurity plan built on the People, Process and Technology pillars. One topic rarely discussed by corporate executives or security leaders is the incredible (and growing) stress the current environment inflicts on CISOs.

hooded-man-2580085.jpg

The stress is real

Stress is a normal way of life for most executives, but CISOs feel an acute level. Nominet's report, in collaboration with Vanson Bourne, The CISO Stress Report - Life Inside the Perimeter: One yes on", was the first quantification of this systemic issue.

In 2019, Nominet and Vanson Bourne conducted 800 online interviews in the USA and U.K (400 C-Suite and 400 CISOs). The included CISOs worked for both public and private corporates with at least 3,000 employees. They were quizzed about work-related stress and its effect on their professional & personal lives.

88 percent of CISOs consider themselves under moderate or high levels of stress

digital-marketing-1725340.jpg

Some Interesting conclusions

  • 7 out of 10 CISOs agree their work-life balance is too heavily weighted towards work (71%)

  • Almost all CISOs are working beyond their contracted hours, on average by 10 hours per week (95%)

  • This equates to extra time worth $30,319 per annum

  • 87% of CISOs say that working additional hours was expected by their organization, while 78% of board members admitted this to be the case

  • 83% of CISOs spend at least half of their evenings and weekends thinking about work

  • Only 2% say they are able to switch off once they’ve left the office

  • Over a third have failed to take all entitled annual leave

  • 45% have missed family milestones or activities

More about the stress

The average tenure of a CISO is 26 months, and many believe stress is the primary motivator of change.

CISOs reported missing important family events such as birthdays, vacations, weddings and even funerals. Even with all the stress and extra working hours, most CISOs aren't taking their full annual leave (or sick days, time off for medical & dental appointments, etc.)

Stuart Reed, vice president at Nominet, suggested that the stress and wear & team on CISOs result from a combination of internal and external factors. The external factors are the headlines your read about, while the internal stresses are the pressure from executives expecting CISOs to "properly" handle these incidents and to provide updates & answers continually.

darts-102919.jpg

What are the most stress inducing elements?

  • 44% being responsible for securing the organization and preventing breaches

  • 40% the need to stay ahead of threat intelligence

  • 39% the long hours worked

  • 65% of those surveyed had suffered a breach in the past 12 months

  • 37% of CISOs consider themselves ultimately % responsible for a breach while 31% of board members agree

  • A fifth of CISOs believe they would be fired as a result, regardless of whether or not they themselves were responsible

leaf-1082118.jpg

What are the effects of the stress?

  • Nearly half of CISOs said the levels of stress they are under has impacted their mental health (48%)

  • 35% also reported that their stress had impacted their physical health

  • 4 out of 10 CISOs said that their stress levels had affected relationships with their partners or children

  • 31% said the stress affected their ability to fully perform at their job

pencil-2878764.jpg

How are CISOs coping with the stress?

  • A quarter of CISOs are turning to medication or alcohol to manage their stress - an increase from 17% a year ago

  • A fifth have taken a leave of absence due to stress (21%)

  • 21% believed there to be no support structures in place within their organization to help deal with stress, while 94% of board members suggest there are

  • 9 out of 10 CISOs would take a pay cut to improve their work-life balance; on average 7.76%, equating to $9,642

grass-455753.jpg

The silver lining

The report suggests that boards of directors are aware of the stress affecting their CISOs (74% of respondents believe that moderate or severe stress impacts their CISO).

As the board of directors and CIOs acknowledge this significant issue, they show more willingness to hire support staff to alleviate some of the stress elements. Ensuring the CISO is surrounded by skilled senior professionals can help alleviate many of the most aggravating elements. These supporting professionals must be experienced security technicians and have strong business acumen, strong interpersonal skills and the ability to work in teams or alone.

Another important stress reliever is ensuring the CISO can honestly share the state of their cyber universe with the executive leadership team to ensure decision-makers universally understand risks and provide executive support to the CISO (guidance and funding). The CISO must know he/she is not alone.

Cybersecurity is growing in importance and, for many organizations, has become the price of entry. Executives have started to understand this important fundamental truth and are now more willing to share the cybersecurity burden.

Conclusion

I built my first security business (a Canada wide security practice) that was later sold to Bell Canada in the early 2000’s and have been actively involved in cybersecurity since. Over the last 20+ years, I have seen the importance of security grow and this has required the creation of the CISO role.

Unfortunately I see too many CISOs that have been promoted to their level of incompetence (read about Peter’s principle here). The job is difficult enough for the professional with the right skills but is deadly for the wrong professional promoted as a reward (not because of merit).

Companies should perform an honest review of their CISOs competence and abilities. Thrusting the wrong person into this role is a disservice to the candidate.

Additionally it is important to realize that most security certifications tackle the technical skills. These are important but form less than 40% of the CISO’s true day to day responsibilities. The key skills (negotiation, strategic vision, budgeting, people management, etc) are completely ignored in most of the certifications companies deem “required” when posting a CISO job. HR leaders must quickly understand the new realities of the CISO role and craft job descriptions akin to that of a business executive leader than a manager for firewalls. This realization is important because a properly skilled CISO will handle the stress much better and therefore will deliver a much higher return on investment for the company.

HR leaders must learn to hire the right candidate for the CISO position

How to access tor sites without the tor browser

GeneralEdward Kiledjian

The last couple of articles I wrote referred readers to TOR (darknet/darkweb) sites. These sites are easy to identify because the terminating marker is .onion (instead of .com/.net/org).

The right way of accessing TOR sites is with the secure TOR browser designed and distributed by the TOR project. This purpose-built browser uses a hardened firefox to deliver maximum anonymity while browsing the "normal" web or tor sites.

There may be times when you are on a device that doesn't have the TOR browser and when speed is more important than privacy or security. In these situations, web-based services allow you to browse these tor (.onion) sites from a standard browser. That is the purpose of this blog article.

The following sites are web services that will allow you to access tor sites without using the tor browser (using a normal browser like Chrome, Firefox or Safari).

These services are called TOR gateways or TOR proxies. the TOR2WEB project was designed to allow users to access all onion services without using the TOR browser. The project site is here.

Remember that using these gateways means the gateway operator can see where you are going, and you lose all privacy and anonymity features of TOR.

To use use TOR2WEB gateways

Using most sites is very simple, you take your TOR address

Screen Shot 2021-03-06 at 5.47.52 PM.png

Here is the secushare onion service at http://secushare.cheettyiapsyciew.onion/

you append the gateways domain name to the end of the onion address. As an example, if you want to use the gateway called onion.ws you simply add .ws at the end of the URL like this

Screen Shot 2021-03-06 at 5.49.45 PM.png

http://secushare.cheettyiapsyciew.onion.ws

Some rare ones require you to remove the .onion at the end and replace it with their gateway url (e.g. like darkness.to) the above address would need to be

Screen Shot 2021-03-06 at 5.50.37 PM.png

http://secushare.cheettyiapsyciew.darknet.to

List of TOR2Web gateways

Be aware as free services, many of these sites are flaky and will periodically be down. Try another one or try later.

If you visit the main domain with your browser, most will provide instructions (in case you forget how to use them)

Screen Shot 2021-03-06 at 5.51.24 PM.png

New sites pop up everyday so if these sites don’t work for you, just search for tor2web gateway in your favourite search engine (startpage.com, duck.com, etc)

Warning

I mention above to only use these services when security and privacy aren’t a concern. You may be wondering why. Here is a list

Session leakage

This is the same risk you experience when using any VPN service. Because the service is the one routing you to your final destination, they see everywhere you go and everything you see. A malicious operator can log and record your entire session with all traffic send back and form (between you and the TOR service). Never enter login credentials (or anything personal) when using these gateways.

Service enumeration

When using the TOR browser with long random TOR URLs, your browsing is relatively private. When using these gateways, you are on the “normal” web and any dns server used by your browser will see the URL you are visiting (e.g. http://secushare.cheettyiapsyciew.darknet.to)

Assume any DNS in your configured DNS chain or the providers chain will know what URL you are trying to resolve through your TOR gateway service.

User correlation

When using these gateways, the gateway operator can log all of your publicly available user identifiers (IP address, browser, OS, fingerprint, etc) and then log that you visited X tor site.

Conclusion

Although these gateways aren’t considered secure, there is a use case for them and it is another tool in your online tools arsenal. If you use them knowing their limitations, you will be fine and they could save you a lot of frustration.

Popular Ransomware Darknet showcase websites

GeneralEdward Kiledjian
ransomware-5231739.jpg

The recent explosion of breaches by the CL0P Ransomware gang has renewed an interest in the darkweb showcase sites used by these threat actors to prove that they successfully broken into a company and to encourage victims to pay, Many have asked me to share some of these site and I was always hesitant. I recently learned that some “consultants” are charging customers to provide these publicly available links, which is wrong.

Most of these are on the TOR darkweb so you will have to use a TOR browser or VPN that bridges to TOR.


Mobikwik Indian data leak

mobikwikoonux37wauz6oqymshuvebj5u763rutlogc2fb2o3ugcazid.onion

Screen Shot 2021-03-30 at 9.05.08 AM.png


Cl0p ransomware gang

http://ekbgzchl6x2ias37.onion/

Screen Shot 2021-03-04 at 3.22.54 PM.png

DopplePaymer

http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion/

Screen Shot 2021-03-04 at 3.24.22 PM.png

AKO group

http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion/

Screen Shot 2021-03-04 at 3.26.22 PM.png

Ragnar Locker

p6o7m73ujalhgkiv.onion

Screen Shot 2021-03-04 at 3.28.18 PM.png

Nefilim Group

hxt254aygrsziejn.onion

Screen Shot 2021-03-04 at 3.29.38 PM.png

Avaddon Ransomware

http://avaddongun7rngel.onion/

Screen Shot 2021-03-04 at 3.42.55 PM.png

Darkside Group

darksidedxcftmqa.onion or darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion

Screen Shot 2021-03-04 at 3.44.31 PM.png

Suncrypt

nbzzb6sa6xuura2z.onion

Screen Shot 2021-03-04 at 3.46.55 PM.png

REvil Ransomware

http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/

Screen Shot 2021-03-04 at 3.51.43 PM.png

Mount Locker

http://mountnewsokhwilx.onion/

Screen Shot 2021-03-04 at 3.57.10 PM.png

Pay2Key Leaks

pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion

Screen Shot 2021-03-04 at 4.04.45 PM.png

Lockbit Ransomware

http://lockbitkodidilol.onion/

Screen Shot 2021-03-04 at 4.12.47 PM.png

Ragnarok Leaks

wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

Screen Shot 2021-03-04 at 4.15.37 PM.png

The Cl0P Ransomware Darknet showcase

GeneralEdward Kiledjian
ransomware-2321665_1920.png

There are hundreds of write-ups about the CL0P Ransomware and the grand behind it. They came back into the spotlight recently claiming to have exploited the Accellion FTA (old file transfer service) and thus customers running unpatched version of the Accellion product.

Over the last couple of weeks, more “leaks” have come out claiming many more companies have been breached through this vulnerability and then infected with the Cl0p ransomware.

Many have asked if I knew where (on the Darknet, aka TOR network) the CL0P gang is publishing the list of infected companies. the answer is yes : http://ekbgzchl6x2ias37.onion/

Screen Shot 2021-03-03 at 1.05.36 PM.png

Now a word of caution. We aren’t certain who created this site. We don’t know if data on the site is actual CL0P infected organizations or simply someone that found the leaks and is claiming they are infected.

My research leads me to believe that the CL0P group is behind this TOR site and that the data on it is indicative of infected organizations.

If you click on Canadian Bombardier, you get this page with some data provided as proof.

Screen Shot 2021-03-03 at 1.08.20 PM.png

Here is a sample of the “proof” they provide for Bombardier

Screen Shot 2021-03-03 at 1.09.41 PM.png

The moral of the story is that there are bad people our there that want to profit from the misery of others. These threat actors are getting more creative and have improved marketing skills trying to “encourage” victims to pay up.

Hire a good CISO and invest in your security program.

How to limit software exploits on your iPhone

GeneralEdward Kiledjian
camera-1842202.jpg

Security and usability are contradictory forces. Ultimate usability means less security and ultimate security mean less usability. It is a fine balancing act tat every user must perform themselves.

The iPhone is a well designed and fairly safe device out of the box but there are some settings you can change to reduce your odds of getting attacked. Each setting that you change will make your device a bit more secure but will limit a useful functionality.

This article will walk you through some of the settings that will reduce your susceptibility to software exploitation.

Install patches

Your iPhone should be configured (out of the box) to periodically download software and OS patches but you should check manually every day (to ensure you get the patches as quickly as possible)..

Don’t open that attachment or that link

Although the iPhone has a very mature and sophisticated security model (including sandboxing), we have seen advanced threat actors use zero-day attacks sold by vulnerability merchants to attack freedom fighters, journalists and other people of interest.

Like on a traditional computer:

  • never open an attachment from an unknown person

  • never open an unexpected attachment from a known contact

  • never click through on a link (SMS, Whatsapp, Telegram, Twitter, Facebook, Instagram, etc) from an unknown person

  • never click through on a link from a known contact but an unexpected message

Reboot your device

We have seen many sophisticated and advanced attacks performed against iOS devices that leverage unknown (therefore unpatched) vulnerabilities but many of them are not persistent. This means that the attacker has to re-compromise your phone if they want control, after a reboot. Think of the reboot as a cleanse or detox.

This has become a standard ritual for me and I regularly restart my phone throughout the day.

Pay attention to the dots

Apple has implemented an ingenious feature to quickly show you if an app is using your camera or your microphone. When in use, an orange or green dot will appear on your top menu bar next to the battery indicator.

Untitled.png

An orange indicator means the microphone is being used by an app on your iPhone. Remember that if you are legitimately using this for features like Siri, it is normal that this will show up but it should disappear when you are done or it means something is still listening in (legitimate or not).

A green indicator means either the camera or the camera and the microphone are being used

If you swipe Control Center open, on the top, it will show you the last app that triggered the microphone or the camera

IMG_2967.jpeg

Disable Airdrop

IMG_2987.jpeg

Airdrop is an Apple technology that allows you to quickly and easily share content (files, videos, music, links, etc) between IOS and macOS devices. AirDrop itself could have vulnerabilities that could allow an attacker to send a malicious attack file to your device without your knowledge or they can perform social engineering attack to trick you to click on a malicious file.

  1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

  2. 3d touch or long-press the network settings card (in the upper left-hand corner, then click on AirDrop)

  3. Choose Receiving Off to disable AirDrop

Disable Bluetooth

IMG_2988.jpeg

Bluetooth has had many easily exploitable vulnerabilities in the past. Although Apple quickly patches vulnerabilities, there may be unknown vulnerabilities being sold by vulnerability merchants to threat actors or nation-state attackers. Additionally many organizations (from law enforcement to shopping mall managers) are known to track users with their Bluetooth ID.

If you are not actively using Bluetooth (aka connected to headphones for example) then you should consider disabling it. Disabling it will cut off the connection between your phone and Apple Watch (until you turn it on again).

  1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

  2. Click on the Bluetooth icon to turn it off


Disable JavaScript in Safari

IMG_2989.jpeg

JavaScript powers the modern web but has been used in a significant number of web attacks. Disabling JavaScript will significantly improve the security of your device but will likely break many modern websites (rendering them unusable).

If you are a higher-risk individual (politician, journalist, dissent, etc, then you may want to turn JavaScript off. Otherwise, you may want to ignore this change (aka leave it on). Changing this setting only applies to JavaScript inside of the Apple Safari web browser.

  1. Open the Settings App

  2. Find Safari

  3. Scroll to the bottom until you see Advanced

  4. Turn of JavaScript by tapping the toggle switch.

Disable WIFI Hotspot

IMG_2990.jpeg

The WIFI Hotspot is a setting that is normally set to off. I am specifying it here in case you turned it on.

WIFI hotspot allows other WIFI devices to connect to your smartphone and share its LTE connection (3G, 4G or 5G). Obviously, those devices need to have the WIFI Hotspot password that is configured on your smartphone, but it is possible iOS contains a vulnerability not yet known by Apple that could be exploited, this allowing a threat actor to connect to your device and push malware.

  1. Open the Settings App

  2. Open Personal Hotspot

  3. Turn off Allow Others to Join