Cyber Security Institute

Wednesday, July 27, 2016

IT Security News - 2016-07-27

Table of Contents

  • ​Australian firms face growing cyber litigation threat
  • As Biometric Scanning Use Grows, So Does Security Risk
  • Researchers Struggle to Determine True Cost of Data Breaches
  • Here are the key security features arriving with Windows 10 next week
  • Senate body approves controversial cyber-crime bill [ISLAMABAD]
  • Ransomware 2.0 is around the corner and it's a massive threat to the enterprise
  • Security Current Launches eBook on Phishing and Malware in Ongoing Series for CISOs
  • The rise in cyber attacks shows we need to change the way we think about crime
  • Nonprofit cybersecurity key to serving community responsibly, experts say
  • Changing security situation, deeply convinced practicing the new security concept [auto translated - so text is challenging]
  • The Cost of a Data Breach in India: What You Need to Know
  • WinMagic survey finds 23% of businesses claim to stop a data breach a day
  • The Information Security Leader, Part 4: Three Persistent Challenges for CISOs
  • Debunking the common myths of Data Loss Prevention (DLP)
  • Hands up, whose firewall rules are a mess? Yes? Well, the good news (if it can be considered good news) is that you’re not alone, because 65% of your peers are in the same boat according to a survey carried out last month at Infosecurity Europe. In fact, 65% of the 300 security professionals surveye
  • Enhancing cyber security by implementing a robust threat and vulnerability management program



​Australian firms face growing cyber litigation threat
Australian companies face ‘US levels’ of litigation if they fail to prepare for mandatory data breach reporting requirements which are likely to come into effect this year, a lawyer has warned. 
Speaking in Sydney, Adam Salter, a partner at law firm Jones Day’s cybersecurity, privacy and data protection practice, said companies not adequately prepared are at greater risk of being sued by their corporate customers.
Litigation would be initiated for breach of privacy obligations embedded in customer contracts and by consumer customers, he said. 
Salter based his view on the firm’s experience in other jurisdictions – such as the US and European Union – that have introduced mandatory data breach notification laws. 
Salter said Australian businesses should regularly review and strengthen their IT and data security systems, policies and procedures and prepare for how they would report a potential data breach to authorities and customers.
Link: http://www.cio.com.au/article/603956/australian-firms-face-growing-cyber-litigation-threat/



As Biometric Scanning Use Grows, So Does Security Risk 
The use of biometrics has exploded in recent years, with companies ranging from 24-Hour Fitness to NYU Langone Medical Center using this convenient technology to identify their customers. 
By 2019, biometrics are expected to be a 25-billion-dollar industry with more than 500 million biometric scanners in use around the world, according to Marc Goodman, an advisor to Interpol and the FBI.
Newest to the scene, Wells Fargo this fall will begin offering a smartphone app with biometric authentication for corporate customers — making all their financial information just an eye scan away. 
But there have already been cases of biometric hacking on a large scale.
An estimated 22 million people had their personal data stolen in a massive data breach at the Office of Personnel Management in December 2014, including RAND privacy expert and mother of two Rebecca Balebako.
She received a letter from OPM last year informing her that her personal information, including her ten fingerprints, were stolen in the breach. 
As biometric technology grows more personal and more widespread, so too do the risks to personal privacy.
Link: http://www.nbcnews.com/tech/tech-news/biometric-scanning-use-grows-so-do-security-risks-n593161



Researchers Struggle to Determine True Cost of Data Breaches 
Depending on the estimate, the average data breach can cost a company $7 million or $150 million.
Why are data breach costs so difficult to estimate? 
In May, tucked away in its quarterly filing to the Securities and Exchange Commission, retail giant Target updated its running total of the cost of its 2013 holiday season breach. 
While the retail giant may have outdone its peers with the bill for its breach, it is hardly alone.
U.K. mobile service provider TalkTalk attributed more than $80 million in losses to a breach that garnered information on 157,000 customers.
Following its breach in 2014, Home Depot tallied at least $161 million in costs from the loss of 40 million payment-card accounts and more than 50 million e-mail addresses, the company claimed in March. 
Yet, other companies have no idea how much damage their breaches have done.
In February 2015, for example, hackers stole more than 80 million records from health insurer Anthem.
More than a year later, the company cannot put a number to its damages. 
Yet, other companies have no idea how much damage their breaches have done.
In February 2015, for example, hackers stole more than 80 million records from health insurer Anthem.
More than a year later, the company cannot put a number to its damages. 
A more modest estimate, from the Ponemon Institute's “2016 Cost of Cybercrime” report, found that the average company could expect a $4 million loss per breach incident today.
U.S. companies have consistently higher losses, including an average breach cost of $7 million and an average per-capita breach cost of $221.
U.S. companies and organizations also encountered higher costs from the loss of customers, the report stated. 
Having a well-trained incident response team and extensively using encryption were the two strategies that most decreased the cost of data breaches, while the involvement of a third party in the data breach and a company’s use of an extensive cloud infrastructure were the two factors that most increased costs, according to the “2016 Cost of Cybercrime” report. 
The disagreement between approaches is par for the course in data-breach calculations.
In a paper comparing six data-breach cost calculators, two Colorado State University researchers found that each approach made different assumptions and arrived at different per-record costs for data breaches. (Three of the calculators were created in conjunction with the Ponemon Institute and three different sponsors.)
Link: http://www.eweek.com/security/researchers-struggle-to-determine-true-cost-of-data-breaches.html



Here are the key security features arriving with Windows 10 next week 
The new functionality aims to help IT departments protect their companies before and after a breach
Windows Information Protection aims to make it possible for organizations to compartmentalize business and personal data on the same device.
It comes alongside the general release of Windows Defender Advanced Threat Protection, a system that uses machine learning and Microsoft's cloud to better protect businesses after their security has been breached. 
Using Windows Information Protection, companies can encrypt their data on employee devices using keys that are controlled by IT. 
Companies can also set policies about which applications can be used to handle business data, so users can't live-tweet the content of a company's HR system, for example. 
For businesses to use Windows Information Protection, they'll need a Windows 10 Enterprise E3 subscription, which costs $7 per user per month. 
Windows Defender ATP requires a company be subscribed to the more expensive Windows 10 Enterprise E5 service, which is meant for companies looking for premium Windows 10 add-on features.
Link: http://www.computerworld.com/article/3100025/security/here-are-the-key-security-features-arriving-with-windows-10-next-week.html?token=%23tk.CTWNLE_nlt_computerworld_dailynews_2016-07-26&idg_eid=d5d83



Senate body approves controversial cyber-crime bill [ISLAMABAD] 
ISLAMABAD: A Senate panel on Tuesday approved the controversial Prevention of Electronics Crimes Bill 2015. 
The bill, which has already been approved by the National Assembly, will now be put up for discussion in the Senate, which must approve it before it can be signed into law by the president. 
Salient features of bill

Up to seven years imprisonment, Rs10 million fine or both for hate speech, or trying to create disputes and spread hatred on the basis of religion or sectarianism
Up to three years imprisonment and Rs0.5 million fine or both for cheating others through internet
Up to five year imprisonment, Rs5 million fine or both for transferring or copying of sensitive basic information
Up to seven years imprisonment and Rs0.5 million fine or both for uploading obscene photos of children
Up to Rs50 thousand fine for sending messages irritating to others or for marketing purposes.
If the crime is repeated, the punishment would be three months imprisonment and a fine of up to Rs1 million
Up to three year imprisonment and a fine of up to Rs0.5 million for creating a website for negative purposes
Up to one year imprisonment or a fine of up to Rs1 million for forcing an individual for immoral activity, or publishing an individual’s picture without consent, sending obscene messages or unnecessary cyber interference
Up to seven year imprisonment, a fine of Rs10 million or both for interfering in sensitive data information systems
Three month imprisonment or a Rs50 thousand fine or both for accessing unauthorised data
Three year imprisonment and a fine of up to Rs5 million for obtaining information about an individual’s identification, selling the information or retaining it with self
Up to three year imprisonment and a fine of up to Rs0.5 million for issuing a SIM card in an unauthorised manner
Up to three year imprisonment and fine of up to Rs1 million rupees for making changes in a wireless set or a cell phone
Up to three year imprisonment and a fine of up to Rs1 million for spreading misinformation about an individual
Up to three years imprisonment and fine of up to Rs1 million for misusing internet
Link: http://www.dawn.com/news/1273324/senate-body-approves-controversial-cyber-crime-bill



Ransomware 2.0 is around the corner and it's a massive threat to the enterprise 
"The landscape is simple.
Attackers can move at will.
They're shifting their tactics all the time.
Defenders have a number of processes they have to go through," said Jason Brvenik, principal engineer with Cisco's security business group, discussing the Cisco 2016 Midyear Cybersecurity Report. 
Cisco used data from its customers to create the report, since there are more than 16 billion web requests that go through the Cisco system daily, with nearly 20 billion threats blocked daily, and with more than 1.5 million unique malware samples daily, which works out to 17 new pieces of malware every second, Brvenik said. 
The next step in the evolution of malware will be ransomware 2.0, which Brvenik said "will start replicating on its own and demand higher ransoms.
You'll come in Monday morning and 30% of your machines and 50% of your servers will be encrypted.
That's really a nightmare scenario." 
Self-propagating ransomware will be the next step to create ransomware 2.0, and companies need to take steps to prepare and protect their company's network, Brvenik said. 
New modular strains of ransomware will be able to quickly switch tactics to maximize efficiency.
For example, future ransomware attacks will evade detection by being able to limit CPU usage and refrain from command-and-control actions.
These new ransomware strains will spread faster and self-replicate within organizations before coordinating ransom activities, according to the report. 
Brevik noted that the nature of the attack is also likely to change, focusing on service-oriented technologies and systems, with teams ready to attack and try to compromise systems.
Advertising is a viable model for attack. 
"We saw a 300% increase in the use of HTTPS with malware over the past four months.
Ad injection is the biggest contributor.
Adversaries are using HTTPS traffic to expand time to operate.
That's the attacker opportunity as it exists today," he said.
Link: http://www.techrepublic.com/article/ransomware-2-0-is-around-the-corner-and-its-a-massive-threat-to-the-enterprise/?ftag=TRE684d531&bhid=21487072891631060763005914609462



Security Current Launches eBook on Phishing and Malware in Ongoing Series for CISOs
TENAFLY, N.J., July 26, 2016 /PRNewswire/—Security Current, an information and collaboration community by CISOs for CISOs, today announced the release of its latest ebook, A CISOs Guide to Phishing and Malware by Joel Rosenblatt, which now is publicly available.
The ongoing Security Current ebook series, A CISO's Guide to… provides insights and guidance on key issues facing today's CISO from a CISO's perspective. 
In this ebook, Rosenblatt, director of information security for Columbia University, explores real-world examples of advanced targeted attacks via email and social media, demonstrating how these evolving threats are increasing an organization's business risks.
More specifically, he explores attack vectors such as email that are being exploited as never before.
Link: http://www.prnewswire.com/news-releases/security-current-launches-ebook-on-phishing-and-malware-in-ongoing-series-for-cisos-300303829.html



The rise in cyber attacks shows we need to change the way we think about crime 
You are now 20 times more likely to have your money stolen online by a criminal overseas than by a pickpocket or mugger in the street, according to recent figures from the Office for National Statistics.
The figures, revealed that almost 6m fraud and cyber crimes were committed in the past year in England and Wales alone – making it now the most common type of crime experienced by adults in the UK.
The average frontline police officer also needs to be able to think about the digital crime scene as well as, or instead of, the physical one.
Being able to respond and investigate criminal cyber activity should no longer be the domain of police specialists – because, as the evidence shows, victims are more likely to suffer a cyber criminal act than any other form of crime.
Beyond law enforcement, society must think about the role of the private sector and their duty of care.
Everyone online is sitting on an internet service provider's network, which effectively owns the digital land upon which we have set up our digital lives.
In the physical world, landlords renting a property have a duty of care to the safety of their tenants, so surely it makes sense for our digital landlords to be held to the same standards.
To respond effectively we need to look at the data gathered on the nature of these crimes – to understand how cyber crimes occur, and who is most at risk.
In the long run, this will make it easier for law enforcement to work out how to tackle these cases.
But this must be done in a sensible and measured way, as the situation is likely to appear to get worse before it gets better as people become more aware of what these crimes are and how to report them.
Similarly organisations, such as the ONS and the City of London Police, will get better at recording cyber crime – causing the figures to go up again.
For now though, these new figures make it clear that cyber crime must become a significant priority for the police and crime commissioners up and down the country.
Link: http://phys.org/news/2016-07-cyber-crime.html



Nonprofit cybersecurity key to serving community responsibly, experts say 
Regardless of size or resources, nonprofits must keep cybersecurity top of mind. 
Regardless of size or resources, nonprofits must keep cybersecurity top of mind. 
Puckett has made cybersecurity a top priority for the foundation.
One of a nonprofit’s biggest risk areas is “reputation,” she said, and a breach of any kind can seriously compromise the trust a community places in an organization. 
“Nonprofits rely extremely heavily on their I.T. vendors,” she said. “ I know why — because they don’t know what they don’t know — but nonprofits need to become informed with some of the basics so that they at least know the questions to ask.
If they don’t know those questions, they need to reach out to resources that are available all over.” 
One of those resources is the West Michigan Cyber Security Consortium (WMCSC), a free-to-join group of more than 250 local businesses and organizations sharing best practices for remaining secure.
WMCSC is working with Trivalent Group Inc., the Better Business Bureau and the Michigan Small Business Development Center to host the third annual Michigan Cyber Security Conference on Oct. 5. 
Puckett said her organization performs multiple security audits throughout the year.
One audit reviews the foundation’s internal controls, such as password requirements, lockout policies, firewalls, two-factor authentication, etc.
Another audit involves a penetration test, in which a third-party consultant attempts to hack into the network to look for any weaknesses the foundation could patch up. 
The single most important issue to address, however, is employee education, sources said.
Considering how effective most of the modern security systems are, an uninformed or careless employee is actually the most likely cause of infiltration, according to Puckett.
That’s why she sends out monthly security awareness letters, as well as occasional phishing tests to see if employees will fall for the common password-stealing scam.
Even going to the wrong website can have disastrous results. 
For Goodwill, protecting the information of “the people we serve” is top priority, Wallace said.
Through various programs, such as career and health care services, Goodwill has access to many of its participants’ personal information.
As such, the Health Insurance Portability and Accountability Act (HIPAA) plays a large part in the organization’s security policies.
As one “very small example,” Wallace said that neither job coaches nor any other employees are allowed in any way to interact on social media with program participants. 
“It doesn’t matter what size you are,” Wallace said. “It’s important for any nonprofit that has private information about individuals.
You owe it to the people you’re serving.”
Link: https://mibiz.com/news/nonprofit-business/item/23843-nonprofit-cybersecurity-key-to-serving-community-responsibly,-experts-say



Changing security situation, deeply convinced practicing the new security concept [auto translated - so text is challenging] 
As China's first sales of over one billion yuan veteran security vendors in the security market, deeply convinced annual earnings growth of 30%.
By 2015, sales are deeply convinced of a breakthrough 1.6 billion in security virtualization and variety of products continued to maintain market share. 

In recent years, emerging security events to promote the development of the network security market, the number of network security vendors continue to increase, the structural safety of the product are continuously enriched, market size and network security investment constantly increasing.
As China's first sales of over one billion yuan veteran security vendors in the security market, deeply convinced annual earnings growth of 30%.
By 2015, sales are deeply convinced of a breakthrough 1.6 billion in security virtualization and variety of products continued to maintain market share.
The changing face of the Internet and the escalating threat, as well as fierce competition in the market, deeply convinced of the safety concept to practice what is it.
Faced with ever-changing network security situation, the urgent need to change in response to changes in the security environment and IT attacks occurred.
Security is not safe or is it the product of a pile of security services, but an ability. 
First of all, the visual is security.
Know thyself only know yourself, see the security necessary capacity of enterprises.
Only through their own lack of understanding, to see to understand the security situation, in order to identify threats and targeted for construction safety. 
Second, companies need to continue the detection of risks, and respond quickly.
There is no perfect thing, there is no hundred percent security.
Faced advanced targeted attacks (APT), we can not completely prevent the control of an attacker in, effective approach is to control their behavior to avoid further attacks and destruction. 
inally, secure delivery should be easy to use.
First, because of the ability to secure corporate security managers have become increasingly demanding, they need only to understand the network but also to understand the application, it is necessary to understand the technology, but also need to know the laws and regulations in order to guarantee effective lines of business, operations process security; and second, because the security management becomes complex, the need for information assets, to track human behavior, security risk management, and timely elimination of security risks. 
To achieve safe optionally starting from the following three points: First, more visual elements.
The elements of user behavior, assets and other visual analysis, to find the point of risk, and in a timely manner for safe disposal.
The second point, bypassing behavior defense system visualization.
Mainly involving sensitive information, external links, abnormal traffic.
Third, in order to render the management perspective.
To make it easier to understand the risks and effective security management, security required from a management perspective will be visualized presentation. 
In continuous testing, the need for the event has occurred, unknown threats, as well as loopholes in the system for continuous detection by detecting the terminal, abnormal behavior of the server, to detect unknown threats and new threats, detect new vulnerabilities because the system updates frequently generated, and ultimately quickly issued a policy based on test results, narrow the scope of the threat, quickly fix vulnerabilities. 
In this regard, deep convinced technology from the server security, endpoint security, security cloud platform to form a continuous integral detection technology architecture that provides detection of unknown threats, cloud scanning, cloud testing and other testing services continued. 
Simple secure delivery of on-line needs easier deployment, simpler daily operation and maintenance.
Infrastructure Security delivery need to simplify the integration of security functions as possible, and in an integrated strategy deployed on the front line of safety testing, simplify policy deployment;
Link: http://news.securemymind.com/2016072624304.html



The Cost of a Data Breach in India: What You Need to Know 
IBM and Ponemon Institute recently released the “2016 Cost of Data Breach Study: India,” the annual benchmark study on the cost of data breach incidents for companies based in India. 
Below are the key takeaways from the report:

The average total cost of a breach was 9.73 crore INR.
This represents a 9.5 percent increase over 2015 costs.
In comparison, the global average total cost of a data breach increased by 5.4 percent.
The size of data breaches increased as well — the average size grew by 8.5 percent in 2016.
This is much more than the global average increase of 3.2 percent.
The impact of data breaches varied by industry.
Certain sectors, such as financial services, had higher data breach costs when compared with industries such as research and the public sector.
Forty-one percent of companies experienced a data breach as a result of a malicious or criminal attack, which was the most common root cause of a breach.
The cost of a data breach was directly related to the number of records comprised in the attack.
The greater the number of records lost, the higher the cost.
Data breaches that involved less than 10,000 records had an average cost of 5.96 crore INR, while breaches involving more than 50,000 records had an average cost of 16 crore INR.
The longer it takes to detect and contain a data breach, the more costly it becomes to resolve.
Link: https://securityintelligence.com/the-cost-of-a-data-breach-in-india-what-you-need-to-know/



WinMagic survey finds 23% of businesses claim to stop a data breach a day
LONDON, UK – July 26, 2016 – WinMagic Inc., the intelligent key management and data security company, has today released survey data in which IT managers say they thwart an attempted data breach at least once a month.
The survey of 250 IT Managers found that a staggering 23% stop a breach every day.
A data breach can be the result of an attack on the network, or an employee inadvertently sending or taking information out of the corporate network without adequate care. 
The survey also spoke with 1,000 employees, 41% of whom believe IT security is solely the IT department’s responsibility – A further 37% say they have a role to play in IT security too.
Even though so many employees seemingly abdicate themselves of responsibility for IT security, a fifth of IT managers want to be able to empower them to use personal devices to access work documents.
Interestingly only 36% felt such access should be restricted to approved employees. 
IT managers also rated employees as the second biggest risk behind hackers to security (24%).
Link: http://www.pressreleaserocket.net/winmagic-survey-finds-23-of-businesses-claim-to-stop-a-data-breach-a-day/474317/



The Information Security Leader, Part 4: Three Persistent Challenges for CISOs 
CISOs and their teams must embody two distinct roles: subject matter experts in the technical aspects of cybersecurity and trusted advisers in making recommendations about security-related risks.
CISOs and their teams need to become confident in addressing four fundamental questions about security-related risks to help guide executive-level discussions toward making better-informed business decisions about managing risks to an acceptable level, as opposed to providing the executives with updates of tactical metrics having to do with security’s activities, work progress and operational costs.
CISOs and their teams need to learn how to overcome three persistent challenges in identifying, assessing and communicating effectively about security-related risks.
A surprising percentage of information security professionals lack an accurate understanding of risk, in spite of the fact that risk is the very reason for the existence of the business function called information security. 
One of the biggest challenges for CISOs is that security professionals traditionally think of cybersecurity as intangible, which is yet another reason why engaging in executive-level discussions about the question “How secure are we?” makes very little sense.
If something is intangible, our instincts tell us it can’t be measured.
Not surprisingly, many people with predominantly technical and engineering-oriented backgrounds experience an inherent discomfort in not being able to quantify security-related risks with precision. 
Ironically, CISOs and their teams often use emotional and qualitative approaches to communicate risks with business decision-makers. 
Qualitative and semi-quantitative risk assessments have become extremely popular.
They’re manifested in five-by-five heat maps that are typically visualized in vibrant green, yellow and red.
Security leaders say they like them because the business decision-makers seem to get it and they often lead to better conversations about risk.
Link: https://securityintelligence.com/the-information-security-leader-part-4-three-persistent-challenges-for-cisos/



Debunking the common myths of Data Loss Prevention (DLP)
MYTH 1: DLP requires significant internal resources to manage and maintain
MYTH 2: DLP requires at least 18 months to deliver value
MYTH 3: DLP requires policy creation first
In summary, DLP represents one of the strongest lines of defence available for businesses looking to effectively protect themselves against the growing number of accidental and malicious threats out there.
However, lingering myths and misinformation about aspects such as ROI, resourcing and policy are holding it back unfairly.
It’s time the IT industry dispelled these myths once and for all, helping DLP to achieve it’s full potential as a cornerstone of modern data security.
Link: http://www.itproportal.com/2016/07/26/debunking-the-common-myths-of-data-loss-prevention-dlp/



Hands up, whose firewall rules are a mess? Yes? Well, the good news (if it can be considered good news) is that you’re not alone, because 65% of your peers are in the same boat according to a survey carried out last month at Infosecurity Europe. In fact, 65% of the 300 security professionals surveye 
Hands up, whose firewall rules are a mess.
Yes.
Well, the good news (if it can be considered good news) is that you’re not alone, because 65% of your peers are in the same boat according to a survey carried out last month at Infosecurity Europe.
In fact, 65% of the 300 security professionals surveyed said if their firewall rules were a teenager’s bedroom, their mom would be so angry she would ground them; and half of those said they would be grounded for life.
The same study also showed that 32% admitted they had inherited over half of the rules they manage from a predecessor – no wonder they are a mess.
And a quarter of security professionals confessed to being afraid to turn off legacy rules.
To add to the complexity, 72% of security professionals surveyed use two or more firewall vendors within their IT environments to try and manage rules for. 
If, like the majority of IT security professionals, you’re in danger of being grounded over your messy firewall rules, here are some tips from my colleague Tim Woods on how to start tidying up your firewall policies: 
Step 1: Remove technical mistakes
Step 2: Remove unused access
Step 3: Review, refine and organize access
Step 4: Continual policy monitoring
Link: https://www.firemon.com/messy-firewall-rules-get-security-professionals-grounded-life/



Enhancing cyber security by implementing a robust threat and vulnerability management program
Threat and vulnerability management is a process of identifying, analyzing, modeling, simulating the potential impact and risk thereby planning to remediate security threats and weaknesses.
The program could covered:
-  Asset inventory management
-  Vulnerability scanning
-  Vulnerability assessment and analysis
-  Vulnerability remediation and mitigation planning
-  Risk and threat modeling and impact analysis
-  Penetration testing
Threat and vulnerability management program managers need to deliver effective vulnerability management for traditional and emerging technologies in growing, perimeter-less IT environments including mobility, cloud and IoT.
To ensure a successful vulnerability management program, security leaders need to verify the effectiveness of their threat and vulnerability management efforts and align these with business context and objectives.
Assessing the impact of potential threats to evaluate their risk will become a primary tool in managing the large volume of vulnerabilities that enterprises need to detect and remediate on an ongoing basis in order to prevent the cyber advisories and data breaches.
Link: http://www.csoonline.com/article/3099988/vulnerabilities/enhancing-cyber-security-by-implementing-a-robust-threat-and-vulnerability-management-program.html