The CISO Decides
Starting his day at the office sipping a cup of hot Americano, he opened his tablet and browsed through the security news. Noting that Citrix had recently shipped patches for some critical vulnerabilities, he forwarded the article to the cybersecurity team, with emphasis on updating their Citrix involved to be updated to the latest patches. The fixed builds download links were listed in the article, so the team shouldn’t have any problems updating them pronto.
He smiled as he deleted yet again the networking request notification from a seemingly familiar face. While it was tempting to add in a glance, a simple image search showed that image is easily found online. For all he knows, that was a fake account. A face whom he had seen during one of the conventions he visited, but his posts — or at least in that profile — doesn’t reflect the person whom he had conversed, more so in his observation, the posts had changed its contents significantly from the last time he visited it briefly three days ago. Perhaps if he sees the person again, he’ll verify whether that is his profile, or the recently rising “Chameleon Attack” social engineering had chosen his acquaintance as one of its lucky victims. He doesn’t want to end up liking a post about cybersecurity hygiene, only to be found later that he liked a terrorist propaganda.
Now, he has the time to go through one of his cybersecurity staff’s proposals regarding the subscription and implementation of a password managers and several recommendations. It had been overdue from past authority, but he did not intend to let it stay that way any longer. With the emergence of credential-stealing ransomware affecting Internet Explorer, Mozilla Firefox, Mozilla Thunderbird, Google Chrome and Microsoft Outlook — all vital software components used in both management and technical departments — it is important to instill usage of password management among his employees and reduce, or ideally avoid altogether, the use of default credential-saving feature in those applications. First thing’s first, he needs them to update their social engineering awareness in their Italy branch. Avoiding the phishing email is the first prevention step; using the password manager is a mitigation there, and a company-wide prevention once exercised.
And based on a screenshot he received, he really needed to advise his IT department’s chief to update his computer at least to the latest Edge, as the window he screenshot showed he was still using the IE. Considering it still has no zero-day flaw patches and might not be so until 11th Feb, it might be better to use the chromium-based Edge or the open-source Firefox which had been patched earlier this month. The chief had assured him not to worry about the workstations with Windows Servers installed, as the browsers had been locked down under Enhanced Security Configuration that prevented browser-based attacks, but he remembered that most workstations at the consultation and management are still operating Windows 7, which will end their cycle. He needs to follow-up on the system-wide update to Windows 10.
Finally, as it was almost time for him to join the board meeting, he sent off a brief article to his security team, with a brief note to expedite the changes in the configuration of the recent connected devices they obtained in large batches. While they are moving forward with the times, providing “smart homes” and A.I appliances, if their configurations are not hardened and left at default during deployment and setup, they will be susceptible to attacks. At the same time, he’ll need his cybersecurity team to ensure that their devices are not part of the 515,000 ones with leaked Telnet credentials.
