CISO or vCISO? The Benefits of a Contractor C-level Security Role

Read how a virtual chief information security officer (vCISO) can help you uplift a struggling information security program.

Source: CISO or vCISO? The Benefits of a Contractor C-level Security Role

Webinar: vCISO vs CISO – Which is the right path for you?


CISO as a Service or Virtual CISO


The Benefits of a vCISO


Subscribe to DISC InfoSec blog by Email

Leave a Comment

The evolution of the modern CISO

The modern CISO

The role of CISO first emerged as organizations embraced digital revolutions and began relying on new data streams to help inform business decisions. As technology continued to advance and became more complex, so too did threat actors who saw new opportunities to disrupt businesses, by stealing or holding that data hostage for ransom.

As the years have gone by and cyberattacks have become more sophisticated, the role of the CISO has had to advance. The CISO has evolved from being the steward of data to also being a guardian for availability with the emergence of more destructive and disruptive attacks. The CISO also must be highly adaptable and serve as the connective tissue between security, privacy and ultimately, consumer trust.

The changing threat landscape

Previous blogs on CISO & vCISO

Virtual CISO - Virtual Chief Information Security Officer (vCISO)

Related latest CISO and vCISO titles

Leave a Comment

Want to become a CISO

CISO role is not only limited to understanding infrastructure, technologies, threat landscape, and business applications but to sway people attitude and influence culture with relevant policies, procedures and compliance enforcement to protect an organization.

#CISO #vCISO
Explore more on CISO role:

Leave a Comment

Consider a Virtual CISO to Meet Your Current Cybersecurity Challenges | GRF CPAs & Advisors

By: Melissa Musser, CPA, CITP, CISA, Risk & Advisory Services Principal, and Darren Hulem, IT and Risk Analyst The COVID-19 crisis, with a new reliance on working from home and an overburdened healthcare system, has opened a new door for cybercriminals. New tactics include malicious emails claiming the recipient was exposed COVID-19, to attacks on…Read more ›

Source: Consider a Virtual CISO to Meet Your Current Cybersecurity Challenges | GRF CPAs & Advisors

Small- to medium-sized nonprofits and associations are particularly at risk, and many are now employing an outsourced Chief Information Security Officer (CISO), also known as a Virtual CISO (vCISO), as part of their cybersecurity best practices.

vCISO model not only offers flexibility over time as the organization changes, providers are also able to deliver a wide range of specialized expertise depending on the client’s needs.

The vCISO offers a number of advantages to small- and medium-sized organizations and should be part of every nonprofit’s or association’s risk management practices.

Virtual CISO and Security Advisory – Download a #vCISO template!

Three Keys to CISO Success




Leave a Comment

CISO Recruitment: What Are the Hot Skills?

CISO/vCISO Recruitment

What are enterprises seeking in their next CISO – a technologist, a business leader or both? Joyce Brocaglia of Alta Associates shares insights on the key qualities

What kinds of CISOs are being replaced? Brocaglia says that an inability to scale and a tactical rather than strategic orientation toward their role are two reasons companies are looking to replace the leaders of their security teams—or place them underneath a more senior cybersecurity executive. They are looking for professionals with broad leadership skills rather than a “one-trick pony.”

Today’s organizations want the CISO to be intimately involved as a strategic partner in digital transformation initiatives being undertaken. This means that their technical expertise must be broader than just cybersecurity, and they must have an understanding of how technology impacts the business—for the better and for the worse. And candidates must be able to explain the company’s security posture to the board and C-suite in language they understand—and make recommendations that reflect an understanding of strategic risk management.

CISOs who came up through the cybersecurity ranks are sometimes at a disadvantage as the CISO role becomes more prominent—and critical to the business. Professionals in this position will do well to broaden their leadership skills and credentials, sooner rather than later.

Source: CISO Recruitment: What Are the Hot Skills?



Interview with Joyce Brocaglia, CEO, Alta Associates



The Benefits of a vCISO




Want know more about vCISO as a Service…






Subscribe to DISC InfoSec blog by Email




Leave a Comment

Cost Effective Cyber Security

DISC InfoSec provides cost effective Cybersecurity: CISO as a Service (CISOaaS)

A Chief Information Security Officer (CISO) is an executive responsible for cybersecurity. Many medium-sized organizations need a CISO but don’t have the budget for one. A Fractional CISO/ vCISO can deliver the value of a full-time CISO without the same level of investment.

Why do you may need one?

  • Lower your organizational cybersecurity risk with industry expert leadership.
  • Supplement your team with InfoSec program, policy and process experts to solve your most pressing needs.
  • Prioritize your cybersecurity investments with quantitative decision making.
  • vCISO for your Interim CISO needs.
  • vCISO program can put you on a path to success with your compliance initiatives, such as a NIST CSF compliance or ISO 27001 certification.

DISC InfoSec also performs technical control assessment such as (Web Application testing) which is imperative to your compliance and ISO 27001 certification process.

In short, as a CISOaaS we do all the legwork so you can focus on running your business.

Our vCISO advisory services are available to support the security/ technology leadership of your organization to implement and improve security and risk posture in today’s heightened security averse landscape.

If you are interested to know more about how can we assist you in your latest InfoSec and compliance project, schedule a short call on our calendar.

​​Latest DISC InfoSec blog feed

Chief Information Security Officer

Contact DISC InfoSec for any question

Leave a Comment

Hackers claim they can now jailbreak Apple’s T2 security chip

Jailbreak involves combining last year’s checkm8 exploit with the Blackbird vulnerability disclosed this August.

Source: Hackers claim they can now jailbreak Apple’s T2 security chip | ZDNet



How to Disable T2 Security




👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet

Download a Security Risk Assessment Steps paper!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

 




Leave a Comment

Clinical Trials Hit by Ransomware Attack on Health Tech Firm

No patients were affected, but the incident was another reminder of the risks in the increasingly common assaults on healthcare computer networks.

A Philadelphia company that sells software used in hundreds of clinical trials, including the crash effort to develop tests, treatments and a vaccine for the coronavirus, was hit by a ransomware attack that has slowed some of those trials over the past two weeks.

The attack on eResearch Technology, which has not previously been reported, began two weeks ago when employees discovered that they were locked out of their data by ransomware, an attack that holds victims’ data hostage until they pay to unlock it. ERT said clinical trial patients were never at risk, but customers said the attack forced trial researchers to track their patients with pen and paper.

Source: Clinical Trials Hit by Ransomware Attack on Health Tech Firm

 

 
Clinic.al Trials Hit by Ransomware Attack on Health Tech Firm



👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet

Download a Security Risk Assessment Steps paper!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

 




Leave a Comment

12 Bare-Minimum Benchmarks for AppSec Initiatives

The newly published Building Security in Maturity Model provides the software security basics organizations should cover to keep up with their peers.

As application security methodology and best practices have evolved over more than a decade, the Building Security in Maturity Model (BSIMM) has been there each year to track how organizations are making progress. BSIMM11, released last week by Synopsys, is based on the software security practices in place at 130 different firms across numerous industries, including financial services, software, cloud, and healthcare.

The practices were measured by the model’s proprietary yardstick, which lumps 121 different software security metrics into four major domains: governance, intelligence, secure software development lifecycle (SSDL) touchpoints, and deployment. Each of these domains are further broken down into three practice categories containing numerous activities that slide from simple to very mature.

Similar to previous reports, BSIMM11 shows that most organizations are at the very least hitting the basics — including activities like performing external penetration testing and instituting basic software security training across development organizations. The following are the most common activities cited for each practice category, providing an excellent yardstick for the bare minimum that organizations should be doing to keep up with their peers.

Source: 12 Bare-Minimum Benchmarks for AppSec Initiatives







DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet

Download a Security Risk Assessment Steps paper!




Leave a Comment

Thin clients from a security perspective

The mass transition to working from home clearly shows the best technologies for a secure and convenient remote environment.

Users receive the maximum security benefits by connecting to virtual desktops from thin clients.

A thin client is a terminal-mode device. It often doesn’t even have any internal storage, being just a box that connects to a server and lets users connect a monitor and peripheral devices (configuration may vary depending on the specific model). The thin client does not process or store any work data.

Of course, a thin client requires a good communications channel. In recent years, however, that’s not much of a hurdle.

Communication between a thin client and a server is usually conducted over an encrypted protocol, solving the problem of the unreliable network environment.

Source: Thin clients from a security perspective

2020 Security Playbook

1) Data discovery
2) Compartmented Data Access
3) Move to thin client
4) Increase focus on AAA




DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet

Download a Security Risk Assessment Steps paper!




Leave a Comment

Enhance your privacy management with ISO 27701

ISO/IEC 27701:2019 provides guidance on data protection, including how organizations should manage personal information, and helps demonstrate compliance with privacy regulations around the world, such as the GDPR.

The Standard integrates with the international information security management standard ISO/IEC 27001 to extend an ISMS (information security management system), enabling an organization to establish, implement, maintain and continually improve a PIMS (privacy information management system).

ITG pocket guide ISO/IEC 27701:2019: An introduction to privacy information management is an ideal primer for anyone implementing a PIMS based on ISO 27701.

Improve your privacy information management regime

Co-written by Alan Shipman, an acknowledged expert in the field of privacy and personal information and the project editor of ISO/IEC 27701, this pocket guide will help you understand the basics of privacy management, including:

 

  • What privacy information management means
  • How to manage privacy information successfully using a PIMS aligned to ISO/IEC 27701
  • Key areas of investment for a business-focused PIMS and
  • How your organization can demonstrate the degree of assurance it offers with regard to privacy information management.
ISO/IEC 27701:2019: An introduction to privacy information management
 

         Buy now

ISO 27701 Gap Analysis Tool


Download a Security Risk Assessment Steps paper!







DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment

Hacker Accessed Network of U.S. Agency and Downloaded Data

An unnamed U.S. federal agency was hit with a cyber-attack after a hacker used valid access credentials, authorities said on Thursday.

While many details of the hack weren’t revealed, federal authorities did divulge that the hacker was able to browse directories, copy at least one file and exfiltrate data, according to the Cybersecurity & Infrastructure Security Agency, known as CISA.

The hacker implanted malware that evaded the agency’s protection system and was able to gain access to the network by using valid access credentials for multiple users’ Microsoft 365 accounts and domain administrator accounts, according to authorities.

Source: Hacker Accessed Network of U.S. Agency and Downloaded Data


Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

Download a Security Risk Assessment Steps paper!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment

Operation DisrupTor: police arrested 179 vendors engaged in the sale of illicit good

A global police sting dubbed Operation DisrupTor targeted vendors and buyers of illicit goods on the dark web, Europol announced.

Source: Operation DisrupTor: police arrested 179 vendors engaged in the sale of illicit good – Security Affairs

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

Download a Security Risk Assessment Steps paper!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment

Guard your data with these privacy-focused search engines & browsers

Tracking allows the companies to improve their algorithm and app experience, but this experience comes at the cost of your digital data. In this guide, we’re going to focus on the search engines and browsers that you’ll want to use if you care about your online privacy.

Popular search engines and browsers do a great job at finding and browsing content on the web, but can do a better job at protecting your privacy while doing so.

With your data being the digital currency of our times, websites, advertisers, browsers, and search engines track your behavior your on the web to deliver tailored advertising, improve their algorithms, or improve their services.

Privacy-focused search engines

Below are the best privacy-focused search engines that do not track your searchers or display advertisements based on your cookies or interests.

Source: Guard your data with these privacy-focused search engines & browsers


Download a Security Risk Assessment Steps paper!

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment

CISA: Chinese state hackers are exploiting F5, Citrix, Pulse Secure, and Exchange bugs

CISA says attacks have started a year ago and some have been successful.

Source: CISA: Chinese state hackers are exploiting F5, Citrix, Pulse Secure, and Exchange bugs | ZDNet



Chinese Hackers Working w/ Ministry of State Security Charged w/ Global Computer Intrusion Campaign




The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

Download a Security Risk Assessment Steps paper!

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment

Don’t pay the ransom, mate. Don’t even fix a price, say Australia’s cyber security bods

Better yet – do the basics and your systems won’t get encrypted in the first place

Source: Don’t pay the ransom, mate. Don’t even fix a price, say Australia’s cyber security bods

The infoseccers strongly advised against paying the criminals:

Paying a ransom does not guarantee decryption of data. Open source reporting indicates several instances where an entity paid the ransom but the keys to decrypt the data were not provided. The ACSC has also seen cases where the ransom was paid, the decryption keys were provided, but the adversary came back a few months later and deployed ransomware again. The likelihood that an Australian organizations will be retargeted increases with every successful ransom payment.

It is generally much easier and safer to restore data from a backup than attempting to decrypt ransomware affected data.

“Many of these [attacks] could have been avoided or substantially mitigated by good cyber security practices,” sighed the ACSC in the report (PDF, 18 pages), which covered the months July 2019-June 2020.



How to recover your system from a Ransomware attack




Download a Security Risk Assessment Steps paper!

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment

Colocation data centers giant Equinix data hit by Netwalker Ransomware

Equinix, one of the world’s largest providers of colocation data centers and Internet connection announced it was hit by Netwalker Ransomware.

Source: Colocation data centers giant Equinix data hit by Netwalker Ransomware

Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom

Equinix Ransomware Attack Hits Company’s Internal Systems

Equinix Statement on Security Incident


Download a Security Risk Assessment Steps paper!

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment

Hackers use legit tool to take over Docker, Kubernetes platforms

In a recent attack, cybercrime group TeamTNT relied on a legitimate tool to avoid deploying malicious code on compromised cloud infrastructure and still have a good grip on it.

Source: Hackers use legit tool to take over Docker, Kubernetes platforms

Misusing tool of the trade
Analyzing the attack, researchers at Intezer discovered that TeamTNT installed Weave Scope open-source tool to gain full control of the victim’s cloud infrastructure.

According to them, this may be the first time a legitimate third-party tool is abused to play the part of a backdoor in a cloud environment, also indicating the evolution of this particular group.

Weave Scope integrates seamlessly with Docker, Kubernetes, and the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS). It provides a complete map of processes, containers, and hosts on the server and control over installed applications.

“The attackers install this tool in order to map the cloud environment of their victim and execute system commands without deploying malicious code on the server,” Intezer notes in a report today.


Download a Security Risk Assessment Steps paper!

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment

Hackers use e-skimmer that exfiltrates payment data via Telegram

Experts observed a new tactic adopted by Magecart groups, they used Telegram to exfiltrate stolen payment details from compromised websites

Source: Hackers use e-skimmer that exfiltrates payment data via Telegram



CISA Webinar: E-Skimming


This Is How Easy It Is To Get Hacked | VICE on HBO




Download a Security Risk Assessment Steps paper!

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment

Cisco engineer resigns then nukes 16k WebEx accounts, 456 VMs

A former Cisco employee pleaded guilty to accessing the company’s cloud infrastructure in 2018, five months after resigning, to deploy code that led to the shut down of more than 16,000 WebEx Teams accounts and the deletion of 456 virtual machines.

According to a plea agreement filed on July 30, 2020, 30-year-old Sudhish Kasaba Ramesh accessed Cisco’s cloud infrastructure hosted on Amazon Web Services without permission on September 24, 2018 — he resigned from the company in April 2018.

Source: Cisco engineer resigns then nukes 16k WebEx accounts, 456 VMs

From Weakest Link to Human Firewall in Seven Days

Download a Security Risk Assessment Steps paper!

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Leave a Comment