Chances are, your CEO doesn’t have the best data security hygiene. A recent analysis of passwords leaked by Equifax executives showed they used rather simple passwords that could be easily guessed, let alone made use of multifactor authentication methods. It is time we made our executives more responsible and exemplary users of our corporate security.

After the Equifax breach, researchers found their “chief privacy officer, CIO, VP of PR and VP of Sales, used passwords with all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year,” evidence that the company failed to follow best security practices. What makes this worse is the likelihood that numerous internal Equifax apps probably used the identical simple passwords.

While Equifax continues to make news as the security poster child, they aren’t alone and the problem is pervasive. There are hundreds of CEOs of ordinary companies who don’t understand good IT security hygiene. Just because most of these companies haven’t been in the headlines doesn’t mean they aren’t equally poor at their implementations. The  2017 Verizon Data Breach Investigations Report found that a whopping 81% of hacking-related breaches use either stolen or weak passwords. In other words: the breaches came from easily compromised identities.

I have spoken to many IT managers over the years who have told me of their frustration with their top executives when it comes to implementing better security policies. One manager that I interviewed last year (who asks not to be named for obvious reasons) told me that he tried to make a very small change to his organization’s password policy. While he had greater goals, he was trying to deploy a policy that made passwords expire after a certain period. His goal was to try to get ahead of any breaches because many of his users’ passwords to common websites had already been posted in earlier leaks, such as with Yahoo and LinkedIn.

For years his organization had passwords that never expired. He went ahead and got the various management approvals, and was all set to go with this very simple change until he was rebuffed by his CEO. “My CEO told me that he had been using the same password for more than 30 years and wasn’t about to change it now. So we still have hundreds of people using non-expiring passwords around the organization.” Argh.

He isn’t the only frustrated IT manager. And passwords aren’t the only security issue. Another recent study by Code42 found that 75 percent of CEOs and more than half of other top executives admit that they use applications that are not approved by their IT department. This could be caused by a number of factors, including that the security team is not engaged with the C-suite, the executives are just stubborn and clinging to their old ways (such as that 30-year old common password), or that security isn’t taken very seriously by management. Or all three.

But we shouldn’t just blame our executives, when the problem could be our own making. “There will always be a natural tension between the CIO and the CISO,” as Saryu Nayyar wrote in an op/ed in Dark Reading earlier this summer. He is the CEO of Gurucul, a security vendor.  “This dynamic is determined by the reality that the CIO is driven to provide more and better services at lower costs, while a CISO’s job is to protect everything.” Over my years with talking to many IT professionals, I have seen lots of such infighting between management teams. Certainly, the time for working together in the name of better security policies has come.

Another reason for CEO security malaise could be that security professionals aren’t good at communicating the actual risks and don’t practice what they preach. What ends up happening is that executives get turned off by the level of effort that is required to lock down their infrastructure. In a recent article in ITWorld,  the author talks about how security practitioners are drowning in noise end up taking the hunter mentality and eventually abandon the data itself. “They spot check it and look for very specific patterns that have been successful in the past,” said Bay Dynamics co-founder and CTO Ryan Stolte, interviewed in the article.

So what should CSOs and CISOs do, other than find a more amenable CEO to work for? Start by first assembling some of the horror stories cited above. Look at the root causes of these incidents and try to factor these into your own plans for improving – and simplifying — your enterprise’s security practices.

Understand the value of leaked data and how it can live forever. “I think what’s being overlooked to some extent is the fact that the data that was compromised has perpetual value to a fraudster,” says credit expert John Ulzheimer quoted in this blog post. “In five, 10, 15 years that data will still be valuable to a fraudster.” Certainly that is the case if users stick with their age-old go-to password collections, as has been illustrated here.

Next, you need to be talking about these risks in the only language your CEO understands – money. Security consultant David Froud has written about this extensively. “This is not the language of security, it’s the language of business goals. Or to put it crassly, it’s the language of money,” he said in this post.

Forget about next-generation firewalls, or even last-generation ones. Or the details about how your anti-malware algorithms work. Your CEO isn’t interested. It is all plumbing, and about as exciting. What will get the CEO involved is how much money you can save your company by following a particular practice. Map your organization’s assets to your business processes as a start and make sure you understand how to value each of these processes.

Keep your security as simple as possible, and then people will actually use it. “If the cybersecurity industry was doing its job, it would be SIMPLIFYING things for everyone, not making them worse,’ says Froud in another post. As an example of this, take a closer look at using single sign-on or password manager tools that take the burden of passwords from your users and automate the password creation process. Once you take the creation – and remembering—passwords out of human hands, you have a prayer of fighting back with the criminals who prey on the collections of reused and simple passwords.

There is no point in having a complex multifactor authentication system, for example, if only a portion of the staff uses it. In fact, find a simple multifactor authentication product and get everyone on board. Make sure you implement programs that are workable and usable. Don’t pile on security for security’s sake. And if you are evaluating two different security solutions, choose the simpler one if at all possible. Have I said “simple” enough times here?

Of course, using single sign-on tools isn’t 100 percent secure either. A recent hack into Vevo, an online music video site, was subjected to a phishing attack through LinkedIn that compromised an employee’s Okta account. From this account, the hackers were able to gain access to Vevo’s media servers and helped themselves to terabytes of private files.

That brings up my next point. Any security program should plan on better executive and user awareness education, particularly when it comes to a type of phishing attack called “whaling” or CEO impersonation. These are emails sent by attacks that appear to be coming from your CEO or CFO to transfer huge sums of money, but in reality are just scams writ large. Numerous security vendors offer these programs, if you don’t want to design your own. All it takes is a single email to break through your defenses, as the folks at Vevo found out.

Finally, practice what your preach. If you aren’t trying out what you are going to recommend what everyone is supposed to use, you aren’t going to get very far. Lead by example. Years ago when I first started working in IT, I had a CTO (we didn’t call him that, but that is what he was) who refused to use the Lotus 1-2-3 spreadsheet software that everyone else was getting for their PCs because 1-2-3 came with copy protection on the disk. When he found out that I had a version that removed the copy protection, then he insisted that I install it on his PC. We don’t need more hypocrites in IT. Do as I say and as I do.

Clearly, we still have a long way to go before we can get better-behaving CEOs, at least when it comes to security practice. And maybe convincing them of being able to change their passwords, or heavens, use a password manager or a single sign-on tool. Either could be the first important step.

An old scam to separate people from their money has been gaining more popularity. It uses a cellphone protocol called WAP billing to steal your money. You have a hint from its name that it has something to do with wireless network protocols, but the idea is to save folks some time when they want to pay for something online by having the charges go directly on the user’s phone bill. I explain the exploit and how it is being used in my latest blog post for iBoss here. One infection point is a “battery optimizer” app that conceals the WAP billing trojan.

Balancing anonymity and privacy isn’t an either/or situation. There are many shades of gray, and it is more of an art than science. Making sure your users understand the distinction between the two terms and setting their appropriate expectations of both should be a critical part of any job managing IT security.

Most users when they say they want anonymity really are saying that they don’t want anyone –whether it be the government or an IT department — to keep track their web searches and conversations. They will say they want some amount of privacy when they are at work, whether they are using their computers and phones for work-related tasks or not.

Certainly, part of the problem is that people today over-share online: they post photos of themselves at various restaurants, or are tagged by their social media “friends” in awkward situations, or post their travel itineraries down to the exact hotels they stay at. How hard would it be to intercept their communications, break into an unoccupied home, or steal a laptop from their hotel room with this information?

But part of the problem is that controlling our privacy is complex: Take a look at the typical controls offered by Twitter. How can any normal person figure these out, let alone remember to change any of them as their needs change? It is hopeless.

As I wrote about this for another blog post, many enterprises are deleting their most sensitive data so they don’t have to worry about potential and embarrasing leaks. Some are also making sure they own their own encryption keys, rather than trust them in the hands of some well-meaning third party. And Apple has recently announced changes to its iOS 11 that will make it harder for law enforcement to extract your personal data.

Sometimes, the purported solutions to privacy controls only make things worse. Windows 10 comes with a series of “personalization” settings that are enabled for the maximum intrusion into our lives by default. One of them – letting ads access a specially-coded ID that is stored on your computer to personalize messages for you – is presented in a way to “improve your experience.” If you choose this route, this translates to increasing the creepiness factor, as ads are served up online based on your browsing history.

As another example, technology often gives us a false sense of security. Just because your users enable private browsing or connect to the Internet through a proxy server doesn’t mean people can’t figure out who you actually are or target ads to your browsing history. Recently, researchers have found flaws in the extension APIs of all browsers that make it easier to fingerprint anyone. Called the WebExtensions API, this protects browsers against attackers trying to list installed extensions by using access control settings in the form of the manifest.json file included in every extension. This file blocks websites from checking any of the extension’s internal files and resources unless the manifest.json file is specifically configured to allow it. But it could be leveraged through this flaw.

Even when this is patched, big data has made it almost absurdly easy to figure out supposedly anonymous users. Remember this New York Times article? Reporters chose a single random user from this list of 20 million Web search queries collected by AOL back in 2006. The Times was able to track her down, a 62-year-old widow who immediately recognized her web searches. So much for being anonymous! And that was back in 2006: imagine other data repositories and tools that are available now to track down individuals with relative ease.

So, realize that privacy isn’t the same as anonymity. Just because I do not know you are does not mean that you have any privacy. Someone who captures my face when I am out on a remote hiking trail can still expose my location and my name through the auspices of Facebook’s facial recognition algorithms, and I could be tagged without my knowledge.

IT needs to understand the differences between privacy and anonymity, and be able to clearly communicate this information to its users. Part of this is having a clearly stated privacy policy on the corporate webpage – and then following it. (This one from email vendor Mailpile is exemplary.) They need to set policies for how the enterprise will track cookies, browsing sessions, metadata and the actual private details of their employees, if these items are tracked.

Ransomware is a troubling trend. Novice criminals with little technical savvy and cheap software can generate big payouts and impact enterprise operations. Here’s what you need to know about the changing ransomware landscape. Ransomware happens to be the fifth most common form of malware, and is expected to see a 300 percent increase this year, according to MWR InfoSecurity. 

You can read my analysis here on HPE’s Enterprise.Nxt site. I review some of its history, highlight a few of the recent innovations with ransomware-as-a-service (such as this web dashboard from Satan shown here), and make a few suggestions on how to prevent it from spreading around your company.

The number of choices for automating login authentication is a messy alphabet soup of standards and frameworks, including SAML, WS-Federation, OpenID Connect, OAuth, and many others. Today I will take a closer look at OAuth and recent developments that favor this standard.

The idea behind all of these standards is to automate the login process, so your users don’t have to remember their many login and passwords for connecting to various resources. That sounds great in theory, but getting the automation to work properly isn’t always easy or obvious. To pull this off, you have to conquer some technical challenges that involve just-in-time user provisioning, adapting to consumer-based SaaS services as well as supporting enterprise apps, and understanding exactly how they provide the automation itself.

OAuth began its life about seven years ago as an open standard that was created to handle authorization by Twitter and Google. It has seen a lot of revisions since then. OAuth now has two different versions in current usage; v2 is the most recent and more capable and more widely used. The two aren’t compatible and rely on two different sets of standards specifications (more specifically, RFC 5849, superseded by RFC 6749).  Today OAuth has dozens of supporters.

A good example of how OAuth is used is when two websites are trying to accomplish something on behalf of a user: both of them have to figure out how to approve the user and get that unit of work done.  If you have to think of it as something, don’t call it a protocol: it actually is the authorization plumbing inside the authentication protocols. A good explanation of the more technical underpinings of OAuth and its relationship to authentication and OpenID and SAML can be found here.

Okay, so having gotten that out of the way, where does OAuth show up in security practice? Typically, enterprises adopt OAuth through using a single sign-on tool, such as Ping Identity, Okta, or SecureAuth. These tools control the overall login process by connecting an identity provider, such as Active Directory, with a collection of applications. The actual process is that instead of a user directly entering their username and password into an app’s login screen, they work with an identity provider that encrypts and then federates their credentials to the apps as part of the authentication process. Once this chain of events is setup, a user doesn’t really see what happens: they click on an app and they are logged in properly. Corporate security managers like this process to be hidden, because then they don’t have to worry about resetting individual users’ passwords.

Another example is with iBoss’ Web Gateway Security. iBoss makes use of OAuth to integrate its security policies with users’ Google accounts to cover BYOD situations and manage guest wireless access. A customizable captive portal automatically binds these BYOD users to a variety of directory services including Active Directory, eDirectory, Open Directory, and LDAP.

Earlier this year, Google updated its G Suite with the ability to do OAuth apps whitelisting. This means that a site administrator can have more granular control over what third-party apps do with G Suite data. You can set up permissions for specific data types, such as allow access to your staff’s Google Drive documents but not their contact lists, for example. This prevents rogue apps from accessing data unintentionally.

OAuth isn’t perfect: attackers can still phish a user’s credentials during the authentication process using man-in-the-middle attacks, which is one of the reasons why Google is providing more control over OAuth across its SaaS app suite. And OAuth also doesn’t provide encryption or client verification: you will need to employ Transport Layer Security for these protective features. Nevertheless, it is being used for more apps and gaining wider acceptance, and should be a part of your security toolkit.

The world of SSL certificates is changing, as the certs become easier to obtain and more frequently used. In general, having a secure HTTP-based website is a good thing: the secure part of the protocol means it is more difficult to eavesdrop on any conversation between your browser and the web server. Despite their popularity, there is a dark side to them as well. Let’s take a closer look at my iBoss blog post this week.

The Common Vulnerabilities and Exposures (CVE) program was launched in 1999 by MITRE to identify and catalog vulnerabilities in software or firmware and create a free lexicon to help organizations improve their security. Since its creation, the program has been very successful and is now used to link together different vulnerabilities and to facilitate the comparison of security tools and services. You now see evidence of its work by the unique CVE number that accompanies a malware announcement by a security researcher.

In my latest blog post for iBoss, I look at how the CVE got started and where it used and the importance it plays in sharing threat information.