Cyber Security Institute

Sunday, August 28, 2016

IR News Security - 2016-08-28

Table of Contents

  • Automate, integrate, collaborate: Devops lessons for security
  • Dragos Raises $1.2M in DataTribe-Led Seed Funding Round for Cyber Threat Operations Center; Robert Lee Comments
  • Cyber Pain Points: Failure to get buy-in for Incident Response Plan (IRP) in the top 10!
  • Cybereason Named a Top 'Disruptive Innovator' by Juniper Research
  • Confronting Cybersecurity Challenges Through US-Singapore Partnership – Analysis
  • The New EU Cybersecurity Directive: What Impact on Digital Service Providers?
  • CISO Hunting Tags: What threat hunting should mean to you
  • 4 Tips to Give You Greater Network Visibility and Prepare You to Survive a Breach
  • What’s next for threat intelligence?
  • RiskSense Selected Best Cyber Risk Management Software of the Year
  • InCommon Enters Proof of Concept for Federated Incident Response
  • AI will help virtualised data containers manage their own security, access control
  • Japanese government plans cyber attack institute

Automate, integrate, collaborate: Devops lessons for security
Enterprise security pros are often seen as heavy-handed gatekeepers obsessed with reducing risk.
They'd rather be viewed as enablers who help the organization complete tasks and gain access to needed data. 
To make that transformation, security teams must become faster, more efficient, and more adaptable to change.
That sounds a lot like devops. 
As more companies embrace devops principles to help developers and operations teams work together to improve software development and maintenance, those organizations also increasingly seek to embed security into their processes.
Continuous automated testing improves application security.
Increased visibility in operations improves network security. 
When data collection and analysis is automated, developers, security teams, and operations can work together.
The benefits go beyond application security.
Song describes an organization that saw sales drop dramatically after pushing out a feature update to their ecommerce application.
Was the problem with the update or the application itself.
It turned out that the SSL certificate had expired.
With all the players in one place, it was easier to identify and fix the problem.
There is a "fusion of different operations and teams working together," she says. 
Security doesn't operate in a silo, Song says.
Removing barriers between teams gives security operations information about what is happening faster.
Faster alerts means security operations are looking at the problem earlier in the cycle, and better information on hand helps the team figure out a solution.
Link: Dragos Raises $1.2M in DataTribe-Led Seed Funding Round for Cyber Threat Operations Center; Robert Lee Comments 
Dragos will use the funds to establish a threat operations facility that will work to provide cyber threat detection services for industrial control systems and supervisory control and data acquisition platforms as well as develop technologies intended for ICS networks, the company said Wednesday.
Link: Cyber Pain Points: Failure to get buy-in for Incident Response Plan (IRP) in the top 10! 
Here’s the list of all 10 Pain Points:
-  Lack of a cross-functional “incident commander” to coordinate response across the organization
-  Incident response plans lack cross-organizational considerations and buy-in
-  Limited data classification guidance to help determine severity and guide incident response activities
-  Ill-defined processes (aka “pre-thought use cases”) for responding to high impact incidents
-  Lack of defined checklists or step-by-step procedures, including contact lists for response
-  Lack of consideration of the business impact when determining courses of action for response
-  Ill-defined or mixed use of event and incident taxonomy between responders
-  Lack of defined thresholds between events and incidents to aid in decision making
-  Limited or lack of pre-determined (aka “pre-canned”) external communication statements
-  Lack of training and exercise of “memory muscle” for the most likely or high risk incidents
Link: Cybereason Named a Top 'Disruptive Innovator' by Juniper Research 
Cybereason today announced that the company and its Military-Grade, Real-Time Detection and Response Platform, has been named by Juniper Research as one of the Top Three ‘Disruptive Innovators to Watch in 2016.' Cybereason is the only cybersecurity company to make the watch list.

Confronting Cybersecurity Challenges Through US-Singapore Partnership – Analysis
As a key deliverable to PM Lee’s visit, Singapore’s Cyber Security Agency (CSA) and the US Department of Homeland Security (DHS) co-signed on 2 August a Memorandum of Understanding (MOU) on the Cooperation in the Area of Cybersecurity, which lays a foundation for cooperation on cyber-related issues. 
This agreement covers cooperation in key areas that include regular Computer Emergency Response Teams (CERT) to CERT information exchanges and sharing of best practices, coordination of cyber incident response, conducting new bilateral initiatives on critical infrastructure protection, and continued cooperation on cybercrime, cyber defense, and on regional capacity building. 
Singapore’s CSA has entered into four other bilateral cyber MOUs signed with France, United Kingdom, India and the Netherlands.
The agreement with the US is the fifth and an important milestone for both countries.
It is the first cyber agreement between an ASEAN nation and the US.
While Singapore benefits from accessing knowledge about cyber threats and mitigation responses from the US, Washington will equally gain deeper insights into the cyber threats experienced by Singapore and potentially the South East Asia region. 
Both Singapore and the US are becoming more digitally dependent, with Singapore having aspirations to be the world’s first Smart Nation.
The creative use of information and communications technology (ICT) and Internet of Things (IOT) will undoubtedly bring about significant advances in the way we live, work and play through predictive and automated decision-making based on detailed collected data on individuals. 
From 16-18 August 2016, Singapore’s CSA, Ministry of Foreign Affairs and the US Department of State’s Third Country Training Programme hosted an ASEAN Cybersecurity workshop, the first of its kind.
This Singapore and US lead diplomatic effort brought together ASEAN cyber officials from both policy and technical offices to discuss developing and implementing national cybersecurity strategies, cyber incident response, multi-stakeholder engagement, private-public partnerships and building a culture of cybersecurity. 
Singapore is in a unique position to take the necessary technological leadership role in enhancing its national cybersecurity posture while supporting the region.
The shared insights and experience by both Singapore and the US can be of considerable benefit to the ASEAN countries and to the larger global community as all nations continue to seek ways to improve their cybersecurity postures.
Link: The New EU Cybersecurity Directive: What Impact on Digital Service Providers? 
Considerable disagreement surrounded the inclusion of digital service providers within the draft NIS Directive, bringing opposition from the European Parliament, various Member States, and entities falling under the definition of "digital service provider." These opponents viewed cyberattacks on digital service providers as insufficiently significant and therefore argued against additional regulation, which would potentially negatively affect innovation.
While the final NIS Directive does extend to digital service providers, it subjects them to a lighter regulatory touch than essential service operators.[1] 
DSP services cover the three following categories (NIS Directive (Annex III)): "online marketplace," "online search engine," and "cloud computing services": 
"Online marketplace" covers "a digital service that allows consumers and/or traders to conclude online sales or services contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace." 
"Online search engine" covers "a digital service that allows users to perform searches of all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found." 
"Cloud computing service" means "a digital service that enables access to a scalable and elastic pool of shareable computing resources." 
Security Requirements.
The NIS Directive aims at implementation of "state of the art" measures.
It requires the following from DSPs: 
dentify and take appropriate technical and organizational measures to manage the risks facing the security of the network and information systems used in offering services within the EU. 
Take measures to prevent and minimize the impact of incidents affecting the security of their network and information systems on services offered within the EU, with a view toward ensuring service continuity. 
Incident Notification Requirements.
DSPs must promptly notify the competent authority or "Computer Security Incident Response Team" ("CSIRT")designated by the EU Member State of any incident having a substantial impact on the provision of a service offered within the EU.
Notifications must include information to enable the competent authority or CSIRT to determine the significance of any cross-border impact.
However, the notification should not expose the notifying party to increased liability. 
Regarding implementation of the NIS Directive, EU Member States are required to adopt the Directive’s strategy for regulatory measures for cybersecurity within the EU, to create a computer security incident response team for EU nations to address cross-border security incidents, and to establish a unified strategic cooperation group to encourage Member States to exchange information. 
National Strategy for the Security of Network and Information Systems.
EU Member States must adopt a national strategy defining the objectives, as well as appropriate policy and regulatory measures, in order to achieve a high level of security. 
Post-Notification Procedure.
After consulting the DSP concerned, the notified competent authority or CSIRT (and, where appropriate, the authorities or CSIRTs of other EU Member States concerned) may inform the public about individual incidents or require the DSP to do so, if it determines that public awareness is necessary to prevent an incident or respond to an ongoing incident, or where disclosure of the incident is otherwise in the public interest. 
The NIS Directive’s potential reach over entities established outside of the EU also calls for companies to evaluate whether their activities may bring them within the scope of the Directive.
As penalties for noncompliance are yet to be determined by each Member State, this is even greater reason for companies to ensure that they do not fall foul of the NIS Directive.

CISO Hunting Tags: What threat hunting should mean to you
The better your network security and the better engineered the security program.
The absolute best your incident response and threat team should likely reflect.
As your security team increases in skill and demonstrable capability in keeping the network closed.
The more likely that the threats found inside are going to have superlative capability.
Thus, your teams that are the shock absorber for incident response (CIRT and threat hunting) are going to need superlative skill.
Thus, we are looking at highly mature and more importantly well-funded programs.
At some point I’ll write a post talking about right sizing and right funding a security program from a realist point of view. 
Having a good log collection and netflow analysis capability allows you to hunt for threats.
Many people focus on the current network traffic and looking for real time anomalies.
A world class program will keep netflow logged for a window of a year. 
Hunting takes on a sense of stalking, following indicators of possible compromise to particular hosts.
Things like beacons, web pages, slow machines, and other elements might get your notice. 
Whether randomly pulling boxes from production for examination, or given a tip-off from the network surveillance.
Hunting on a host usually starts in the file system and memory system.
There are ways to dump the memory of a host and then evaluate it for possible previously undetected malware.
SANS and others teach memory forensics courses that serve the threat hunting team well in the skills development area.
In my experience I have pulled boxes out of production I thought were exploited only to at a forensic level refute that hypothesis.
In other cases I pulled boxes from production that had no sign of issues and had twenty or more variants of malware infesting them.2005 Robin Hood
reliability and validity are not the same thing.
The dichotomy of discovery based on the nearly random nature of some of the processes make the analogy of hunting work.
You can stalk, you hunt from a blind, or you can take whatever walks into your path.
It is all about looking for things that you didn’t know exist.
Your team needs to be active persistent defensive agents on the network.
The time intensive and mission impacts of interdicting a host all result in managerial reluctance.
That reluctance is well founded because a host may have exploitation’s that will result in downtime. 
I often get asked two questions.
What is the role of honeypots/nets in threat hunting and why do we do this.
Discussing the first question a honeypot is literally a sophisticated intrusion detection system.
From a realist point of view you can think of the honeynet as a sensor, or trip line that gives you warning. 
You only have so many resources, and you only have so much time.
I shepherd my security teams closely to make sure nobody is burning out, and try and maintain a good work/life balance when leading teams.
Threat hunting in the short term creates more work for the teams in general.
Over the long term it decreases the CIRT teams time on response tasks and informs the security team of better protection measures.
If you as a CISO enforce the security feedback loops and configuration controls that will be illuminated by hunting on your network. 
Threat feeds carry lots of indicators of compromise that can be used to defend your network.
Those feeds can be days behind the actual adversary.
The various threat feeds are not necessarily customized to your business, infrastructure, or political standing.
They are in fact part of the information security portion of the CISO portfolio not the threat hunting portion.
The threat hunting group is looking for that last finite number of threats that make it through your world class information security perimeter.
Since this is identifying the worst of the worst and likely the most entrenched adversary.
The whole reason you do this is to finally say you have reduced the surprise factor of network security management to a known level.

4 Tips to Give You Greater Network Visibility and Prepare You to Survive a Breach
No. 1: Ensure that you have logs, and that they are protected.
No. 2: Keep your database of systems and applications up-to-date. 
No. 3: Have a method to capture network traffic and to send alerts. 
No. 4: Make a plan for responding to a data breach and write it down.
Link: What’s next for threat intelligence? 
Nearly every security vendor wants to get in on the action and the majority of security operations groups are either being told by their management to get on board with it, or they’ve attended various security conferences and realised they need to add threat intelligence into their security program. 
At some stage, every CISO or SOC manager will be asked by management, concerned about the latest hack: What do you know about it.
How does it affect us.
What are we doing about it? 
A solid threat intelligence strategy provides you with a means of being proactive and ensuring that you’re on top of your cyber security, so that you’re in a position to answer these questions before they are even asked. 
On a network, there are only three things security operators need to deal with; noise, nuisance and threats. 
You need to filter out the noise (blocking it at the perimeter or detecting it and automatically remediating), focus on threats (the real gotchas that can negatively impact shareholder value) and determine if a nuisance is actually noise or a threat and deal with it accordingly. 
An effective threat intelligence platform helps organise the threats and provide the information you need to isolate what really matters. 
Once you are using threat intelligence to improve communications and focus your resources, you can start diving into risk management. 
A threat intelligence platform lets you take a more strategic view of the business critical assets you need to protect, the threats that are targeting these assets and the ways in which they are going about it, and the countermeasures you have in place.
Link: RiskSense Selected Best Cyber Risk Management Software of the Year 
SUNNYVALE, Calif. & ALBUQUERQUE, N.M.—(BUSINESS WIRE)—RiskSense® Inc., the pioneer and market leader in pro-active cyber risk management, today announced that the company’s cyber risk management platform was selected Best Cyber Risk Management Software of 2016 in the 8th Annual Security Products Magazine New Product of the Year Awards.
The RiskSense Platform was recognized for its innovations in intelligence-driven cyber risk analytics, which identify threats in near real-time based on business risk criticality across the entire attack surface of an organization, and prioritize closed-loop remediation efforts.
Link: InCommon Enters Proof of Concept for Federated Incident Response 
With InCommon interconnected to the global federation community, participants now have the opportunity to take part in and support policies and standards being developed internationally.
One of the most promising collaborations in this area is the Security Incident Response Trust Framework for Federated Identity (Sirtfi).
Developed by a working group comprising international research, campus, and federation operator community members, this framework and related entity tags for IdPs and SPs serves as a first iteration of a global federated incident response approach. 
This proof of concept will include very scoped support for Sirtfi including:
-  Importing the Sirtfi entity attribute for those international IdPs and SPs that have chosen to adhere to the specification along with importing the REFEDS Security Contact metadata into InCommon metadata from eduGAIN.
-  Adding to the InCommon aggregate and exporting to eduGAIN the REFEDS security contact and the Sirtfi entity attribute on the entity descriptors of the following IdPs:
—    NCSA
—    LIGO
—    The University of Chicago
—  Adding the Sirtif tag to several LIGO SPs

AI will help virtualised data containers manage their own security, access control
Although virtualised data 'enclaves' offer the best control over enterprise data now, CISOs will increasingly rely on artificial intelligence (AI) technologies to keep ahead of changing threat exposures as data becomes increasingly “self controlling”, one leading security strategist has predicted. 
Organisations that use virtualised enclaves to contain and segregate enterprise data in mobile devices “are getting the best return on their investment,” Citrix chief security strategist Kurt Roemer told CSO Australia. “By mobilising data in an enterprise container that's treated as a set of project-based enclaves on the mobile device, your enterprise data never leaves your control.
That lets you focus resources on sensitive data and not just on the security technologies and controls that are supposed to apply to everything.” 
AI tools will be essential in “considering the workflows that take into account the different relationships, networks, and boundary conditions that help provide the right level of risk in the organisation,” Roemer said. “When you do that, it often leads you to different conclusions than you get on the network you may have in place right now. 
Fully realising the potential of AI technologies will require a more mature perspective of the technology, he added, noting that most organisations still think of AI primarily as a tool for automating security log analysis. 
Those insights would become more evident as AI tools allowed security monitoring policies to extend to parts of the enterprise that might never normally be visible in the same context.
For example, AI might not only be used to look for anomaly conditions and alert administrators, but to monitor paths of communication between application components and automatically reroute that traffic if an issue is detected. 
These decisions will be adaptable based on the circumstances of access – for example, the location or device used by the person requesting access – and enforced at a highly granular level. “An AI based system will be able to look at intelligence systems, contracts, and business relationships, then decide whether a system should still be accessible and whether someone has the right to share that data or not,” Roemer said, noting that the 'all-access pass' – conventional user ID-and-password gateways – had to evolve. “Access needs to be continually evaluated and contextual,” he explained, “and ultimately data is going to need to be really self-controlling.
All of us change our situations throughout the day and your access needs to be constantly evolving to meet the unique risks of each of those situations.
Eliminating the all-access path is about making the access very specific to the risk that is presented.”

Japanese government plans cyber attack institute
The government of Japan will create an institute to train employees to counter cyber attacks.
The institute, which will be operational early next year, will focus on preventing cyber attacks on electrical systems and other infrastructure. 
The training institute, which will operate as part of Japan’s Information Technology Promotion Agency (IPA), is the first center for training in Japan to focus on preventing cyber attacks.
A government source said that the primary aims will be preventing a large-scale blackout during the Tokyo Olympics and Paralympics in 2020, and stopping leaks of sensitive power plant designs.

IT Security News - 2016-08-28

Table of Contents

  • France and Germany urge reform to access encrypted messages
  • The 3 Biggest Mistakes In Cybersecurity
  • What IT Pros Need To Know About Hiring Cyber-Security Hunt Teams
  • Best Practices For Data Center's Physical Security
  • 19% of shoppers would abandon a retailer that’s been hacked
  • Lost and stolen devices account for 1 in 4 breaches in the financial services sector
  • Cybercrime in India up 300% in 3 years: Study
  • Onapsis : Releases SAP Security In-Depth Publication for SAP HANA
  • BeyondTrust Survey Uncovers Growing Disparity Managing Privileged Access
  • How do you measure success when it comes to stopping Phishing attacks?
  • How to secure your remote workers
  • New approach needed to IT, says NIST's top cyber scientist
  • Security Leadership & The Art Of Decision Making
  • FCC proposes 5G cybersecurity requirements, asks for industry advice
  • Traffic, jammed: New report says DDoS attacks are up 211 percent
  • New breed of IT professional
  • ​APAC unprepared for security breaches: FireEye's Mandiant
  • SA’s new cybercrimes law explained
  • Get the Security Budget You Need and Spend It Wisely
  • Data breaches: Different regions, very different impacts
  • Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity
  • Global Cost of Cybercrime Predicted to Hit $6 Trillion Annually By 2021, Study Says
  • Got big data? The Cloud Security Alliance offers up 100 best practices
  • Privacy Shield data-transfer agreement now covers 200 companies
  • Security must be top of the manufacturing agenda
  • Security Conferences Abound: Which Should You Attend?
  • Fueling secure technology adoption in banks through a robust cyber security framework[India]
  • The Hidden Dangers Of 'Bring Your Own Body'
  • Vulnerability Spotlight: Multiple DOS Vulnerabilities Within Kaspersky Internet Security Suite
  • Cyberthreats Targeting the Factory Floor
  • Don’t Get Stranded without a Data Security Action Plan

France and Germany urge reform to access encrypted messages
French Interior Minister Bernard Cazeneuve met with his German counterpart, Thomas de Maiziere, on 23 August to discuss anti-terrorism proposals.
Following the meeting, Cazeneuve told the press in Paris that France and Germany will put forward a European initiative to tackle the problem of messaging encryption used by Islamist extremists, to be discussed at the EU summit taking place on 16 September. 
In particular, Cazeneuve said that messaging service operators such as Telegram, which has so far been reluctant to cooperate with the authorities, should be compelled to provide access to encrypted content to terrorism investigations.
The French minister urged the European Commission to pass new legislation targeting encrypted messaging services provided by both EU and non-EU companies, creating the right legal framework to strengthen national security.
Link:—1159017?utm_source=headlines_-_english&utm_medium=email&utm_campaign=24-08-2016&utm_content=textlink The 3 Biggest Mistakes In Cybersecurity 
Everyone, from the small business owner, to senior executives in businesses of every shape and size are confronting a seemingly insurmountable problem: Constant and rising cyber security breaches.
It seems no matter what we do, there is always someone that was hacked, a new vulnerability exploited, and millions of dollars lost.
1) They think cyber security is a technology problem.
2) They follow a cyber security check list once-and-done.
3) They don't have a cyber security awareness training program in place.
Neither structure nor strategy will help if you ignore the most important element in cyber security: People.
In 2016 ISACA published the top three cybersecurity threats facing organizations in that year.
They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.
Link: What IT Pros Need To Know About Hiring Cyber-Security Hunt Teams 
If your organization doesn't run its own threat analysis center, it may be worth hiring a hunt team to watch your back.
Here's what you need to know. 
At the RSA Conference in 2015, Joshua Stevens, enterprise security architect for HP Security, gave a presentation on hunt team skill sets and on the ways analytics and visualization tools can be used to help identify cyber threats. 
The qualifications cited in the presentation suggest hunt team members should have advanced intrusion detection and malware analysis skills, data science and programming skills, and a creative, analytical mindset. 
If you try to assemble an in-house hunt team, your own personnel may have to work harder to benefit from external incidents.
A vendor handling many clients, however, can apply what it learned from one client to protect its other customers.

Best Practices For Data Center's Physical Security
There are several criteria that you need to look into and no wonder what we'll be discussing here is be expensive, time-consuming and resource-intensive. 
- Constructed for ensuring physical protection
construct the exterior (walls, windows, and doors) of materials that provide ballistic protection.
In addition, it must also provide protection on physical grounds, which means that it should have all the physical equipment in place such as barriers to keep invaders from sneaking inside. 
- 24x7 backup powe
- Cages, cabinets and vaults
should be strong and rigid, ensuring the safety of the equipments residing inside. 
- Electronic access-control systems (ACSs) 
- Provisioning process
another practice to provide entry to the facility involves a process that requires providing structured and documented provisioning by the individual requesting to get inside the data center. 
- Fire detection and fire suppression systems
The structures must be hard-wired with alarms backed with fire suppression systems, assuring fire safety. 
- Educate the entire team: Your staff must be educated about security.
Link: 19% of shoppers would abandon a retailer that’s been hacked 
The 2016 KPMG Consumer Loss Barometer report surveyed 448 consumers in the U.S. and found that 19% would abandon a retailer entirely over a hack.
Another 33% said that fears their personal information would be exposed would keep them from shopping at the breached retailer for more than three months. 
The study also looked at 100 cybersecurity executives and found that 55% said they haven't spent money on cybersecurity in the past yearand 42% said their company didn't have a leader in charge of information security. 
The survey results, posted Tuesday online, found that retail and automotive industries were laggards in appointing leaders to assess cyberthreats and opportunities.
The financial services and tech industries were leaders.
Link: Lost and stolen devices account for 1 in 4 breaches in the financial services sector 
Bitglass is a vendor in the cloud access security broker (CASB) space.
What that means is that Bitglass is focused on ensuring organizations utilize strong security tools and processes to keep their data safe.
It's a busy space and one in which being seen as a thought leader is important; hence, Bitglass and its competitors invest lots of effort in creating content that is broadly useful to the industry. 
the report found that leaks within the financial services industry almost doubled between 2014 and 2015, with that increase looking set to continue through 2016.
All of the U.S.'s largest banks have suffered recent leaks, and in the first half of this year alone, five of the top 20 banks in the U.S. disclosed breaches. 
Key findings from the report include:
-  1 in 4 breaches in the financial services sector over the last several years were due to lost or stolen devices; 1 in 5 were the result of hacking.
-  14% of leaks can be attributed to unintended disclosures and 13% to malicious insiders.
-  Five of the nation's 20 largest banks have already suffered data breaches in the first half of 2016.
-  In 2015, 87 breaches were reported in the financial services sector, up from 45 in 2014.
-  In the first half of 2016, 37 banks have already disclosed breaches.
-  Over 60 organizations suffered recurring breaches in the last decade, including most major banks.
-  JP Morgan Chase, the nation's largest bank, has suffered recurring breaches since 2007.
The largest breach event, the result of a cyberattack, was widely publicized in 2014 and affected an estimated 76 million U.S. households.
-  Of the three major credit bureaus, the 2015 Experian leak was the largest, affecting 15 million individuals.
Link: Cybercrime in India up 300% in 3 years: Study 
The study revealed that in the past, the attacks have been mostly initiated from countries like the US, Turkey, China, Brazil, Pakistan, Algeria, Turkey, Europe, and the UAE, adding with growing adoption of internet and smartphones India has emerged as one of the primary targets among cyber criminals.
Attackers can gain control of vital systems such as nuclear plants, railways, transportation or hospitals that can subsequently lead to dire consequences such as power failures, water pollution or floods, disruption of transportation systems and loss of life, noted the study.
In the US alone, there has been an increase of nearly 50 per cent in reported cyber incidents against its critical infrastructure from 2012 to 2015, it said.
The Indian Computer Emergency Response Team has also reported a surge in the number of incidents handled by it with close to 50,000 security incidents in 2015, noted the study titled 'Protecting interconnected systems in the cyber era,'.
Link: Onapsis : Releases SAP Security In-Depth Publication for SAP HANA 
Onapsis, the global experts in business-critical application security, today released SAP HANA System Security Review Part 2.
This publication analyzes SAP HANA Internal Communication Channels, details associated risk, and identifies how to properly audit an SAP HANA system.
As the 13th edition in the SAP Security In-Depth series, SAP HANA System Security Review Part 2 describes how to update the SAP HANA platform, noting new improvements in each Support Package.
Link:—22946404/ BeyondTrust Survey Uncovers Growing Disparity Managing Privileged Access 
PHOENIX—(BUSINESS WIRE)—BeyondTrust, the leading cyber security company dedicated to preventing privilege misuse and stopping unauthorized access, today unveiled the results of its definitive Privilege Benchmarking Study based on a worldwide survey of IT professionals.
The study demonstrates a widening gulf between organizations that adhere to best practices for privileged access management. 
Top-tier companies were much more likely to have a centralized password management policy – 92 percent of them do, in contrast with just 25 percent of bottom-tier organizations.

Password cycling is also much more common among top-tier businesses; 76 percent of top-tiers frequently have passwords changed, whereas only 14 percent of bottom-tiers do.

Credential management formed another point of distinction, with nearly three-quarters (73 percent) identifying themselves as efficient in this area, compared to 36 percent of the bottom-tier companies.
More than two-thirds of top-tier companies (71 percent) can monitor privileged user sessions, and 88 percent can restrict access with a measure of granularity.

Among bottom-tiers, fewer than half (49 percent) can monitor sessions, and only 37 percent have granular capabilities to restrict access.
Among top-tier organizations, fully 9 out of 10 grant privileges to apps rather than users.
Among bottom-tier companies, this falls to 46 percent.

While it’s vital to evaluate the risks posed by individual apps and systems, only 6 percent of bottom-tier companies have tools that provide this capability – and, shockingly, 52 percent “just know” what the risks are.
Meanwhile, more than half of top-tier companies (57 percent) can make these assessments.

Top-tier companies are also more likely to actually conduct vulnerability assessments; 91 percent do, compared to just 20 percent of bottom-tier organizations.

How do you measure success when it comes to stopping Phishing attacks?
Some measured success based on clicks.
As such, if the employees avoid 80-percent of the Phishing emails delivered during an assessment, they see that as a win.
From there, the assessment moves to focusing on the 20-percent that did click links. 
No two Phishing attacks (simulated or real) are alike.
If an employee avoids an obvious scam based on delivery notifications, but later falls for a scam related to financial documents, that's a problem.
Yet, some organizations stop testing those who are successful during a given round of assessment.
This has the potential to create defensive gridlock. 
The general feeling among defenders was that an anti-Phishing "win" was a 10 to 20-percent click rate, meaning that 80 to 90-percent of the Phishing emails that went to the organization (testing or otherwise) were unsuccessful attempts.
In this case, clicks were inclusive of both links and attachments. 
Many also agreed that a layered defensive posture, as well as continuous assessment and training will help lower the impact of Phishing, but it wouldn't prevent it entirely.
Instead, better compromise detection, and improved response times should be part of any anti-Phishing program. 
"The average failure rate (of the client) of a Phishing/spear-Phishing campaign is usually between 60 to 80-percent - a pretty astronomical number.
However, if we carry those metrics through six months down the road after further security awareness training and tuning of technologies (spam filters, etc.); I've seen this number drop by as much as 30-percent," Blow said.

How to secure your remote workers
Public wifi is insecure by nature—it requires no authentication to connect to the network, allowing cybercriminals to easily intercept the connection and distribute malware.
Hackers can also spoof public wifis by creating fake access points and mimicking the names of legitimate connections.
If you’re in a coffee shop and the shop’s wifi name is COFFEE_SHOP-WIFI, they might call theirs COFFEE_SHOP_FREE_WIFI.
Users would have no idea they had connected to the wrong one, since they’d be able to browse the Internet with no apparent interference.
Those connecting to rogue access points can have all of their traffic harvested in plain text, including passwords and other sensitive company data. 
With the onus on remote workers to keep their machines updated, there’s a lot of room for error.
Out-of-date software, plugins, and browsers, plus unpatched and unprotected systems leave remote employees even more vulnerable to attack. 
Remote workers with unpatched systems are especially vulnerable to malvertising campaigns and their associated exploit kits, an estimated 70 percent of which drop ransomware payloads these days.
According to a recent survey by Osterman Research, nearly 40 percent of businesses have been victims of a ransomware attack in the last year—and unprotected endpoints are part of the problem. “Part of the reason [that there are so many attacks] is that we have people that are using their own devices, they’re using corporate devices, and also privacy regulations in the U.S. aren’t as strict as in other countries,” says Mike Osterman, President of Osterman Research. “So there’s a lot of information that’s not as protected as it needs to be, a lot of endpoints that aren’t as protected.” 
Here are eight ways that businesses can better secure their remote workers. 
- Switch to cloud-based storage. 
- Encrypt devices, when possible. 
- Create secure connections to the company network. 
- Roll out automatic updates. 
- Use an encrypted email program. 
- Implement good password hygiene. 
- Increase user awareness. 
- Deploy an endpoint security program.
Link: New approach needed to IT, says NIST's top cyber scientist 
No amount of security software, firewalls or anomaly detection systems can protect an IT infrastructure that's fundamentally insecure and a new approach to computer architecture is required to deal with the looming cybersecurity crisis, the National Institute of Standards and Technology's top computer security scientist told the president's commission on long-term cybersecurity. 
The "only way" to address the looming cybersecurity crisis is "to build more trustworthy secure components and systems," Ron Ross told the Commission on Enhancing National Cybersecurity during a Tuesday meeting in Minneapolis. 
Security, he observed, "does not happen by accident."  Things like safety and reliability needs to be engineered in from the beginning, he argued, comparing the process to the "disciplined and structured approach" used to design structurally sound bridges and safe aircraft. 
This new approach "will require a significant investment of resources and the involvement of essential partnership including government, industry, and the academic community," said Ross, comparing it to the moonshot of the 1960's.

Security Leadership & The Art Of Decision Making
What a classically-trained guitarist with a Master's Degree in counseling brings to the table as head of cybersecurity and privacy at one of the world's major healthcare organizations. 
Bishop Fox’s Vincent Liu sat down recently with GE Healthcare Cybersecurity and Privacy General Manager Richard Seiersen in a wide-ranging chat about security decision making, how useful threat intelligence is, critical infrastructure, the Internet of Things, and his new book on measuring cybersecurity risk.
We excerpt highlights below.
You can read the full text here. 
Vincent Liu: How has decision making played a part in your role as a security leader? 
Richard Seiersen:  Most prominently, it’s led me to the realization that we have more data than we think and need less than we think when managing risk.
In fact, you can manage risk with nearly zero empirical data.
In my new book “How to Measure Anything in Cybersecurity Risk,” we call this “sparse data analytics.” I also like to refer to it as “small data.” Sparse analytics are the foundation of our security analytics maturity model. 
VL: If you’re starting out as a leader, and you want to be more “decision” or “measurement” oriented, what would be a few first steps down this road? 
RS: Remove the junk that prevents you from answering key questions.
I prefer to circumvent highs, mediums, or lows of any sort, what we call in the book “useless decompositions.” Instead, I try to keep decisions to on-and-off choices.
When you have too much variation, risk can be amplified.
Most readers have probably heard of threat actor capability.
This can be decomposed into things like nation-state, organized crime, etc.
We label these “useless decomposition” when used out of context. 
VL: How useful is threat intelligence, then? 
RS: We have to ask—and not to be mystical here—what threat intelligence means.
If you’re telling me it is an early warning system that lets me know a bad guy is trying to steal my shorts, that’s fine.
It allows me to prepare myself and fortify my defenses (e.g., wear a belt) at a relatively sustainable cost.
What I fear is that most threat intelligence data is probably very expensive, and oftentimes redundant noise. 
VL: Where would you focus your energy then? 
RS: For my money, I would focus on how I design, develop, and deploy products that persist and transmit or manage treasure.
Concentrate on the treasure; the bad guys have their eyes on it, and you should have your eyes directed there, too.
This starts in design, and not enough of us who make products focus enough on design.
Of course, if you are dealing with the integration of legacy “critical infrastructure”-based technology, you don’t always have the tabula rasa of design from scratch.
Link: FCC proposes 5G cybersecurity requirements, asks for industry advice 
The FCC published a request Wednesday for comment on a new set of proposed 5G rules to the Federal Register focused on adding specific “performance requirements” for developers of example internet-connected devices. 
“Cybersecurity issues must be addressed during the design phase for the entire 5G ecosystem, including devices.
This will place a premium on collaboration among all stakeholders," said FCC Chairman Tom Wheeler during a National Press Club event on June 20. "We continue to prefer an approach that emphasizes that industry develop cybersecurity standards just as we have done in wired networks." 
In addition to a structured security strategy, the FCC’s 5G application process will require organizations to share their ongoing participation in threat intelligence and other data sharing programs — such initiatives include the likes of the Cyber Threat Alliance. 
A quick review of the FCC’s proposed 5G cybersecurity plan shows a six category split, organized by a companies' security approach, coordination efforts, standards and best practices, participation with standards bodies, other security approaches and plans with information sharing organizations.
Link: Traffic, jammed: New report says DDoS attacks are up 211 percent 
Distributed denial of service attacks are on the rise across the globe, as opportunistic Dark Web dealers increasingly sell hacking-as-a-service products, according to a new threat intelligence report compiled by Imperva, a California-based cybersecurity firm. 
The company measured threats faced by its customers during a roughly one-year time period, seeing a 211 percent year-over-year increase in attacks. 
The firm largely attributed this apparent growth to the establishment of several botnet operations — which serve as a platform to automate and increase attack volume — and malicious actors’ ability to access greater bandwidth to help generate and use such weapons.
Dark Web dealers are using these botnets, according to Imperva, to offer more effective cyber tools to would-be customers.
Link: New breed of IT professional 
T professionals are now integral to business decisions and have a much more visible role in protecting sensitive data.
They’re also increasingly expected to manage information privacy when key privacy positions aren’t filled or simply don’t exist. 
T professionals today must translate what they’re seeing in their threat-intelligence and risk-management efforts into business impact. 
IT professionals who think they can fight security and privacy battles alone have already lost the war. 
An open mind and flexible approach can go a long way in helping keep IT professionals relevant in today’s organization. 
An open mind and flexible approach can go a long way in helping keep IT professionals relevant in today’s organization.
Link: ​APAC unprepared for security breaches: FireEye's Mandiant 
In its latest report, Mandiant M-Trends Asia Pacific, the cyberforensics firm found that organisations across APAC allowed attackers to dwell in their environments for a median period of 520 days before discovering them—three times the global median of 146 days. 
Mandiant said APAC organisations cannot defend their networks from attackers because they frequently lack basic response processes and plans, threat intelligence, technology, and expertise. 
The report found that APAC was almost exclusively targeted by some attacker tools, with one suspected Chinese threat group, APT30, targeting highly sensitive political, economic, and military information for at least a decade. 
Mandiant said that during its investigations, it found that most organisations depended only on antivirus software to detect malicious persistence mechanisms. 
"Antivirus software is a signature-based technology that cannot detect every malicious event across an entire estate," the company said. 
"To significantly improve, organisations must bring together the technology, threat intelligence, and expertise necessary to quickly detect and respond to cyber attacks."
Link: SA’s new cybercrimes law explained 
A new Cybersecurity Bill is coming into effect later this year which aims to stop cybercrime and improve security for South Africans.
SEAN DUFFY, Security Executive at Dimension Data Middle East & Africa, explains the basics of the bill. 
The Cybercrimes Bill affects everyone using a computer or the Internet, or anyone who owns an information infrastructure that could be declared critical.
Among others, the following individuals and organisations should take note: ordinary South African citizens or employees using the Internet, network service providers, providers of software and hardware tools, financial services providers (the Bill includes prohibited financial transactions), representatives from government departments, those involved with IT regulatory compliance, as well as information security experts. 
The Cybercrimes Bill consolidates South Africa’s cybercrime laws, which makes successful prosecution of criminals more likely.
Up until now, cyber offences were charged under various acts, among others the Prevention of Organised Crime Act, and the Electronic Communications and Transactions (ECT) Act of 2002.
The ECT Act seemed to govern most online crime, but only included three cybercrime offences. 
Penalties on conviction are quite severe.
Penalties include fines of R 1 – R 10 million and imprisonment of one to ten years, depending on the severity of the offence.
The nature of the crime determines the penalty. 
Incidents will happen, but it’s how an organisation responds that matters.
Government is working on establishing a legal mechanism for anyone to defend themselves against cybercrime.
However, organisations need to be more proactive in their security through the use of services such incident response plans, real-time threat management, vulnerability management and managed security services.
Link: Get the Security Budget You Need and Spend It Wisely 
It’s challenging for a CISO to get budget for cybersecurity.
Your board of directors really wants to spend that IT money on projects and solutions that will expand the business and bring in more revenue.
That’s what your shareholders value. 
As breaches become more commonplace, your colleagues and customers become desensitized to the potential impact of a breach, which can downgrade their sense of urgency to protect assets in advance.
New CISOs sometimes report being given no security budget at all. 
So how do you show that there is value in investing in cybersecurity and justify a proper security budget.
There isn’t an ROI in the way that most company accountants understand it.
Much of the time you have to rely on your experience and judgment, as well as the competing claims of security vendors — none of which helps you build a compelling case when you are being asked to assess the return on the investment and tell the board members why they should spend their money on your security budget. 
A team of researchers at the Robert H.
Smith Business School at the University of Maryland developed and refined an economics-based model to help businesses with this exact problem. 
The researchers produced an informative video to show the basics of the model and their research findings.
The video distills years of research into a four-step process to help you determine where your security budget is best spent.
The basic principles are similar to those proposed by many experienced security consultants — with some key refinements. 
First, classify your assets by value in terms of cost of a potential breach as well as vulnerability to a breach.
Then, estimate the degree to which the solution in question will reduce the likelihood of a breach.
Some simple statistics then show you how to maximize the return on your cybersecurity investment. 
Surprisingly, it’s not always best to set out to protect your most obvious assets.
Sometimes the costs of fully protecting the most vulnerable assets are impractically high.
From a business return standpoint, you may be better off protecting a larger number of less vulnerable assets. 
The researchers used their model against real-life scenarios and found that, for most use cases, your cybersecurity budget should not exceed 37 percent of the expected losses due to a security breach.
This is the point at which the costs usually (but not always) start to outweigh the expected benefits. 
The beauty of the Gordon-Loeb model is that it gives you a framework to derive costs versus benefits for different levels of investment.
They are clear that there are use cases where it does not apply, however: For example, in a case where the breach of an asset would lead to catastrophic loss. 
No model should be relied upon prescriptively, but going through the modeling exercise when you assess your security risk should at least help you review and refine your thinking.
Link: Data breaches: Different regions, very different impacts 
A Deloitte report on the business impact of a cyber attack recently showed that 89% of the impact of a breach comes from three factors: 

Value of lost contract revenue;
Devaluation of trade name; and
Lost value of customer relationships.
It is important to note that these factors look quite different from an EU perspective.
Most EU companies are not currently required to notify regulators or customers after a data breach, as opposed to the US, where 47 out of 50 states have mandatory notification laws.
As a result, several main impacts (which are felt heavily in the US) are either non-existent or less visible in the EU, including: 
- Cost
- Scrutiny
- Pressure
As a result of these differences, EU companies are less incentivised to improve cyber security.
The EU market for cyber insurance is consequently less mature than in the US – where products have been developed to transfer the costs of business disruption, customer notification, and identity theft protection. 
However, this situation will change over the next two years, as the EU General Data Protection Regulation (GDPR) and Network and the Information Security (NIS) directives come into force in mid-2018.
Both pieces of legislation will increase the number of companies and sectors that will have to report breaches to their national regulator – and possibly to customers – within 72 hours (GDPR) or without “undue delay” (NIS Directive) depending on the severity of the breach.
Link: Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity 
On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. 
According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an attacker infiltrated the e-retailer’s website.
Nearly one year later, the e-retailer’s merchant bank notified it that fraudulent charges were appearing on customers’ credit card accounts.
The e-retailer then hired a cybersecurity firm to conduct a forensic investigation, and the malware was discovered and removed from the e-retailer’s website. 
Besides the obvious lesson of complying with state data breach notification laws where applicable, the other important lesson is that companies must carefully evaluate how they market the privacy and security of their e-commerce platforms.
Federal and state agencies, like the Federal Trade Commission (FTC) and state attorneys general, have increased their scrutiny of companies’ privacy and cybersecurity representations.
Regulators will also scrutinize companies’ actual cybersecurity practices.
The FTC has offered some practical advice to guide companies in this regard, some of which we have previously discussed here and here.
Bottom line: Companies should prioritize cybersecurity and treat it as an investment rather than a cost.

Global Cost of Cybercrime Predicted to Hit $6 Trillion Annually By 2021, Study Says
A report out by Cybersecurity Ventures predicts global annual cybercrime costs will grow to $6 trillion by 2021. 
While a $6 trillion estimate might be a little high, “a trillion dollars plus is a real possibility,” says Larry Ponemon, chairman and founder of the Ponemon Institute.
Though this isn’t a number he saw coming down the pipeline. “If you asked me five or six years ago, I’d fall over,” he says.   
The predicted cybercrime cost takes into account all damages associated with cybercrime including: damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
It does not include the cost incurred for unreported crimes. 
The Cybersecurty Ventures report, which is a compilation of cybercrime statistics from the last year, also predicts that the world’s cyberattack surface will grow an order of magnitude larger between now and 2021.
Link: Got big data? The Cloud Security Alliance offers up 100 best practices 
For companies working with distributed programming frameworks such as Apache Hadoop, for example, the CSA recommends using Kerberos authentication or an equivalent to help establish trust. 
Companies that use nonrelational data stores such as NoSQL databases, meanwhile, are hampered by the fact that such products typically include few robust embedded security features, the report's authors say.
For that reason, they suggest using strong encryption methods such as the Advanced Encryption Standard (AES), RSA, or Secure Hash Algorithm 2 (SHA-256) for data at rest. 
Also included in the report are suggestions for real-time security and compliance monitoring, privacy-preserving analytics, data provenance, cryptographic techniques, and more.
The handbook is now available as a free download. 
Market researcher Gartner, meanwhile, predicts that the improper use of big data analytics will cause half of all business to experience ethics violations by 2018.
Link: Privacy Shield data-transfer agreement now covers 200 companies 
Companies must register with the International Trade Administration of the U.S.
Department of Commerce to be covered.
It's a self-certification process, so the ITA is only checking that the forms are filled in correctly, not that companies are necessarily complying with all 13,894 words of the rules.
The Privacy Shield rules are needed to ensure that EU citizens' personal information is afforded the same legal protection in the U.S. as required under EU law. 
There are now 200 companies standing behind Privacy Shield, the framework agreement allowing businesses to process the personal information of European Union citizens on servers in the U.S. 
Some 5,534 organizations signed up to Safe Harbor before the court ruling came, with the certification status still listed as "current" for 3,375 of them.
Link: Security must be top of the manufacturing agenda 
In order for manufacturers to be fully prepared, embedding security within manufacturing technology at the point of origin and ensuring end-user environments are as secure as possible would be the most effective methods to ensure such vulnerabilities are significantly mitigated.
As these systems have been traditionally isolated from office network environments and the internet through air-gapping, it is evident that industrial hardware and software was not designed with security in mind, rather, it was intended to function within a closed environment. 
Within modern industries, however, we see an increased demand for real time data and remote access services.
Previously separate systems are now interconnected with other company networks, exposing the hardware, services and protocols to attackers.
The popularity of WirelessHART products show a significant shift among manufacturers to integrate and utilise networked technology to increase efficiencies within their businesses.
The benefits of this technology are undeniable, allowing manufacturers with legacy systems to swiftly and cheaply upgrade their existing systems to a level of productivity arguably comparable to fully digital environments. 
For a business to fully secure its industrial environment, the education of staff on security best practices must become an essential element of day-to-day activities.
A focussed approach to training and awareness enables staff to better understand the threats that affect their work environments – it is therefore essential for all personnel to fully understand the security risks relevant to their duties, thus minimising the risks associated with a successful cyber-attack.
Link: Security Conferences Abound: Which Should You Attend? 
There is normally a hiatus in security conferences between September and February that allows those of us who have been drinking from the fire hose to stop and take a breath.
This breathing space permits us to implement, adjust, engage and otherwise ensure we are where we need to be with respect to securing our data, our clients’ data and our customers’ data.
The hiatus also gives us the opportunity to decide which security conferences will give us the biggest bang for our buck in terms of education and industry awareness in the coming year. 
ShmooCon 2017 is a three-day security conference taking place in Washington, D.C. in January 2017.
The format lends itself to those engaged in maintaining and breaking cybersecurity devices, network and appliances. 
The Cyber Threat Intelligence Summit is a two-day security conference hosted by the SANS Institute in Arlington, Virginia.
Four days of training seminars and classes will precede the conference in late January 2017. 
The RSA Conference is the largest of all the security conferences, to be held in San Francisco in mid-February 2017.
In the run up to the conference, we will see major vendors release a plethora of new studies and product announcements.
Then there’s a multitude of agnostic and vendor-driven training forums.
Many will find the enormous expo areas an excellent means by which to learn about solutions from vendors and receive some introductory training on these tools. 
The International Association of Privacy Professionals (IAPP) hosts a variety of global conferences focused on educating attendees on the broad topic of privacy. 
InterConnect is IBM’s premier annual conference for security, cloud and mobile.
The 2017 event is scheduled for mid-March in Las Vegas and will once again feature more than 2,000 sessions, ranging from deep-dive technical demonstrations to business content to hands-on labs and workshops. 
InfoSec World is a security conference and expo scheduled to take place in ChampionsGate, Florida, in April 2017.
The conference will feature security practitioners who speak from experience on the real-world challenges companies are facing today. 
The international Forum of Incident Response and Security Teams (FIRST) Conference will take place in San Juan, Puerto Rico, in June 2017.
Those involved in incident response at the national, local or enterprise level will benefit from attending. 
The Black Hat security conferences are held in Las Vegas each summer and elsewhere in the world (in Asia and Europe) at varying times.
According to the organizers, more than two-thirds of attendees are information security professionals with the CISSP distinction.
The conference is light on vendor displays and heavy on practical demonstrations of new exploits and discoveries, so it’s definitely a worthwhile event for security professionals and those IT workers on the ground. 
DEF CON takes place annually in Las Vegas, and the next conference will occur in late July 2017.
The organizers bill the conference as “the hacking conference,” and past attendees will certainly attest to the veracity of this claim. 
While the aforementioned security conferences are by no means all-inclusive, they are always on this writer’s calendar for consideration.
They should be on yours as well.
Link: Fueling secure technology adoption in banks through a robust cyber security framework[India] 
The threat landscape is evolving and in light of increased adoption of technology by banks as a part of the country’s move towards a cashless economy, Reserve Bank of India (RBI) has recently mandated the creation of a Cyber Security Framework to fortify the security postures at banks.
Banks are now mandated to formulate a Cyber Crisis Management Plan (CCMP) which will address the aspects of detection, response, recovery and containment. 
Security is becoming a part of boardroom agenda across organizations and as rightly recognized by RBI, security should not be an IT-only concern.
Reiterating the key role of the CISO in bridging business needs with IT needs, cybersecurity policies should be distinct from an organization’s broader IT policy specifically highlighting the risks from cyber threats and the measures for mitigation. 
The information centric model should include envisioning the information infrastructure, information intelligence, and information governance. 
Following the advisory by RBI, banks have undergone gap assessments as the initial step and would have submitted the analysis by July 31.
The roadmap to achieve an all-inclusive cybersecurity infrastructure is going to be perplexing where banks will face challenges pertaining to implementation, costs, investments, organizational arrangements and so on.
However, the goal once achieved, will be a huge leap towards a robust, secure banking ecosystem.

The Hidden Dangers Of 'Bring Your Own Body'
1) Who, exactly, has ownership of this data?
2) How should the business manage this data? 
There may not be that much biometric data currently in the average enterprise, but its use is on the rise.
Both the private and public sectors probably (and legally) have some of your biometric data right now.
If you’ve ever worked for a government-affiliated organization and achieved any type of security clearance, it has your fingerprint data.
If you have a US driver’s license —even if you have no criminal record—there’s a good chance that the FBI is already analyzing your photo for a facial-recognition database.
The information that HR departments handle on a regular basis—Social Security numbers, home addresses, health insurance details, tax information, etc.—all pose threats to privacy and security that are practically incomparable to traditionally stolen data types such as credit card numbers. 
The key objective for the immediate future is to determine what’s within the realm of control, and how security can be strengthened for the locations where there is most likely to be sensitive items.
This relatively simple task today will be important for the future, regardless of how common biometric data becomes in business.
Link: Vulnerability Spotlight: Multiple DOS Vulnerabilities Within Kaspersky Internet Security Suite 
Talos has discovered multiple vulnerabilities in Kaspersky’s Internet Security product which can be used by an attacker to cause a local denial of service attack or to leak memory from any machine running Kaspersky Internet Security software. 
The vulnerabilities affect Kaspersky Internet Security 16.0.0, KLIF driver version, but may affect other versions of the software too.
Since anti-virus software runs with low level privileges on any system, vulnerabilities in these software are potentially very interesting for attackers.
Although these vulnerabilities are not particularly severe, administrators should be aware that security systems can be used by threat actors as part of an attack, and keep such systems fully patched. 
Vulnerabilities discovered by Piotr Bania and Marcin ‘Icewall’ Noga of Cisco Talos.
Link: Cyberthreats Targeting the Factory Floor 
Cyberattacks targeting manufacturing companies are on the rise, according to a recent report from IBM X-Force Research’s 2016 Cyber Security Intelligence Index.
The report noted that the sector is the second most-attacked industry behind healthcare.
Automotive manufacturers were the top targets for criminals, accounting for almost 30% of all cyberattacks in 2015, while chemical companies were attackers’ second-favorite targets. 
Most manufacturing companies are behind the curve on security.
The Sikich report noted that only 33% of the manufacturers it surveyed were performing annual penetration testing within their IT groups.
When it comes to ICS networks even less is being done to secure them.
Because of lax security standards, manufacturers are leaving themselves exposed at every point of their networks. 
One of the biggest security challenges manufacturers face is dealing with the variety of different communication protocols used in ICS networks. 
Standard data plane protocols like Modbus and DNP3 are used by HMI/SCADA/DCS applications to communicate physical measurements and process parameters such as current temperature, current pressure, valve status, etc. 
Meanwhile, the control plane protocols — which are used to configure automation controllers, update their logic, make code changes, download firmware, etc. — are proprietary and vendor-specific.
Each vendor uses its own implementation of the IEC-61131 Standard for Programmable Controllers.
These implementations are rarely documented, making it very difficult to monitor critical activities. 
Contrary to popular belief, this is not extremely difficult.
Once inside the network, an attacker can easily download control logic to an industrial controller or change its configuration.
Since these actions are executed using proprietary vendor-specific protocols, there is no standard way to monitor these control plane activities.
As a result, changes made by an attacker can go unnoticed until damage starts to occur. 
Gaining visibility into ICS networks is the first step in being able to protect them from cyberthreats.
Discovering all assets, especially industrial controllers, is critical.
This includes maintaining a reliable inventory of configurations, logic, code and firmware versions for each controller.
Link: Don’t Get Stranded without a Data Security Action Plan 
Navigating this increasingly complex maze of requirements from different states while simultaneously combatting data breaches is not an easy task.
That’s why it’s critical for healthcare providers to prepare a comprehensive data security action plan by following these five steps: 
1) Benchmark to identify vulnerabilities
2) Adopt a consistent security posture
3) Evaluate and manage third-party relationships
4) Gain a full understanding of all state and federal regulations
5) Implement a communications strategy to protect your reputation