Click This Link to Fail a Phishing Test
All links and images for this episode can be found on CISO Series
Our phishing tests are designed to make you feel bad about yourself for clicking a link. We're starting to realize these tests are revealing how insensitive we are towards our employees.
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Yaron Levi, (@0xL3v1) former CISO, Blue Cross Blue Shield of Kansas City.
Thanks to this week’s podcast sponsor, Stackrox
StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.
Is this a cybersecurity disinformation campaign?
On reddit, an explosive discussion formed around a ComputerWeekly.com article by Saj Huq of Plexal about the importance of making disinformation a security issue. The problem though has primarily fallen into the hands of social media companies mostly because that's where disinformation spreads. While we've seen disinformation being used as a political tool, for businesses, it can tarnish your corporate brand, consumer trust, and ultimately the value of your product. It's also used in phishing campaigns. Breaches are compromising your data. Disinformation is questioning the validity and value of data without even stealing it. How do you combat that?
Are we having communication issues?
We're recording this episode shortly after GoDaddy sent its infamous phishing test email that promised employees a $650 bonus check. Those who clicked on the email were rewarded with additional security training. It took the entire Internet to point out how insensitive this was, GoDaddy's response was "We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized." They argued that while it may be insensitive, these types of well-timed phishing emails do happen. A lot of people do not like phishing tests and Yaron has proven that if creative enough, anyone can fall for a phish. How can the company and security be more sensitive to employees, respect them, while also letting them know they may receive a malicious email just like this?
An international What's Worse conundrum.
How do you go about discovering new security solutions?
Julia Wool, Evolve Security said, "I just finished a Splunk course and wanted to explore other SIEM platforms and I am having a difficult time understanding how an enterprise should choose a vendor in this space. I couldn't imagine being the guy at an enterprise that has to consider all these different vendors that seem to be doing the same thing." Julia brings up a really good concern: If you were completely green, didn't have CISO connections, and were going to choose a SIEM for the first time how would you go about determining your needs and then researching and deciding? What sources would you use? And how do you limit this effort so you're not overwhelmed?
There’s got to be a better way to handle this
Brian Fanny, Orbita, asks, "Vendor scope can change over time within a project or the start of another and harder to control than the initial evaluations. They start off when non-critical requirements/needs eventually grow into handing assets of greater value and/or gaining access to more critical systems. How do you keep up with vendor/project scope creep from the security sidelines?"