Title: Cybersecurity Growth #3 - So You Wanna Be A CISO
Welcome to Cybersecurity Growth. A show for aspiring and existing cybersecurity leaders. I’m your host Shawn Valle, Exec Director and CISO of Cybersecurity Growth
Former Chief Security Officer of Rapid7 and former CISO of Tricentis
Musician here on Twitch and elsewhere, MusicBySV (more on that later)
By Arielle Waldman Published: 23 Jan
“Experts applaud expansion of Apple's E2E encryption”
Amidst growing privacy concerns and data breach threats, Apple launched Advanced Data Protection for U.S. customers last month to secure almost all data stored in iCloud.
In December, Apple launched three new data security and authentication tools including iMessage Contact Key Verification, Security Keys for Apple ID and -- most notably -- Advanced Data Protection. The new offering expands Apple's end-to-end encryption (E2EE) protection to the cloud, including device and messages backup, the iCloud drive, notes, photos, voice memos, wallet items and more.
With Apple's encryption expansion, access to most cloud data will now be limited to users. Data recovery can only be achieved through passwords and recovery methods, and not even Apple can decrypt it. More significantly, the data will remain secure even if the cloud is breached, according to Apple.
(Think about LastPass recently. They were breached, all user data was lost. The encrypted stuff SHOULD stay safe even though it was stolen due to good encryption techniques. But LP admitted that fields like the URL was not encrypted and was not considered a secure field. I – and may others – disagree. The URL likely contains session cookie info that can allow an attacker to bypass passwords and MFA to get into a site.
Back to apple..)
...being rolling out to worldwide users in early 2023, the number of E2EE categories rises from 14 to 23
By Cynthia Brumfield CSO | JAN 26,
“Recent legal developments bode well for security researchers, but challenges remain”
Security researchers gained greater federal legal protections over the past two years, but US state laws and China’s recently adopted vulnerability disclosure law pose threats.
…Harley Geiger, an attorney with Venable LLP, who serves as counsel in the Privacy and Data Security group. Speaking at Shmoocon 2023, Geiger pointed to three changes in hacker law in 2021 and 2022 that minimize security researchers' risks.
"Over the past couple of years, these developments have changed the sources of greatest legal risk for good faith security research," he said. Specifically in the US, the Computer Fraud and Abuse Act (CFAA), the most controversial law affecting hackers, the Department of Justice's (DOJ’s) charging policy under the CFAA, and the Digital Millennium Copyright Act have evolved in favor of hackers. However, laws at the US state level affecting hackers and China's recently adopted vulnerability disclosure law pose threats to security researchers and counterbalance some of these positive changes.
The CFAA was enacted in 1986… …and was the first US federal law to address hacking.
"The CFAA has been the boogeyman for the community for quite a long time," Geiger said. "It's maybe the most famous anti-hacking law. This is a criminal law and a civil law, and that's important to remember. You can be prosecuted under the CFAA criminally, and you can also be threatened with private lawsuits."
…CFAA prohibits several things, including accessing a computer without authorization and exceeding authorized access to a computer.
In June 2021, the US Supreme Court altered its previous stance on the CFAA. In the Van Buren vs. the US decision, the Court said that if "you are authorized to use a computer for one purpose, and you use it for another, even though it's an unauthorized purpose, that may be a violation of your contract, but it is not a federal hacking crime," Geiger told the attendees. "But you still have to have some authorization to use the computer in the first place," and terms of service can still possibly dictate whether you have authorization.
…in 2022, CFAA rules got better for researchers/hackers… "It is explicit protection for good-faith security research under the nation's chief foremost prosecutor," Geiger said.
- So You Wanna Be a CISO; Shawn’s CISO/CSO strategy walk-through.
Not a pretty deck. It’s my working slides based on 6 or 7 years of learning.
When the e-Comm company I was working for as SecOps Dir got acquired by a large CRM company :-) , I was assigned a new Sec Systems Director role. I took it upon myself to play mini-CISO (learning from my 3 previous bosses in those roles), and I built a “first 100 days of a CISO playbook”. Then I implemented the playbook to see how it would work.
After a while, I got assigned a new role, responsible for Security of Cloud Identities across two very well-known cloud providers. I made some minor changes to my playbook, and implemented it again.
At that point, I realized that I wanted to take on a CISO/CSO role…so I found a job doing just that, and well, I iterated on my playbook and implemented it again. And again.
And likely will again. So, this is my personal playbook, I do share pieces of it with people/teams who are curious, and now you get to see it.
So, if you are a Manager, Director, VP or CISO, or even in IT or another department getting into manager/leader roles, quite a bit of this isn’t specific to “security”.
Let’s get into it.