[From the desk of Paul Davis – his opinions and no-one else’s]
So onto the news:
Why Has Mobile Banking Growth Stalled? Blame Hackers
A recent report from the Federal Reserve (Consumers and Mobile Financial Services 2015) found that 52 percent of smartphone owners with a bank account did at least one mobile banking transaction last year. That’s not much of an increase from the 51 percent reported in 2013.
A new report from RateWatch, a banking data and analytics service, concluded that mobile banking will only increase if those security concerns are addressed. In a recent survey, RateWatch found that security was the number one reason people said they did not use mobile banking.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0fefb36edd&e=20056c7556
Global Encryption Trends Report – key management pain bites as encryption usage soars
… Global Encryption and Key Management Trends report is now in its tenth year, providing an annual ‘pulse check’ on enterprise approach to and deployment of encryption techniques. There are two key areas which emerge when considering the biggest barriers to effective execution of a data encryption strategy. First and foremost, for 56% respondents, the primary challenge is discovering where sensitive data resides in the organisation.
The second is key management.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8f435f490f&e=20056c7556
Top Critical Skill In Information Security: Be Humble
By everyone being smarter, I don’t mean to say we are dumb but stating the fact that nobody knows everything when it comes to all the various segments of information security. The acronyms that follow your name, from degrees and certifications and the tools you master, are a testament to your dedication but are only letters without learning to be humble, acknowledging your weaknesses and appreciating others’ strengths.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6530a6fb1e&e=20056c7556
GETTING COZY WITH CYBER ESPIONAGE
F-Secure Labs’ latest malware analysis focuses on CozyDuke – an Advanced Persistent Threat (APT) toolkit that uses combinations of tactics and malware to compromise and steal information from its targets. The analysis links it to other APTs responsible for a number of high-profile acts of espionage, including attacks against NATO and a number of European government agencies.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d6da23f6db&e=20056c7556
Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents.
Netflix started developing FIDO four years ago after finding it took from a few days to more than a week to resolve issues that were entered into its help-desk ticketing system, the company wrote in a blog post Monday.
FIDO collects incident information from firewalls, intrusion detection and anti-malware systems. It figures out what kind of system is being attacked and checks external threat feeds to put the incident into more context.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2e265ba599&e=20056c7556
ISE: Hackers to Focus on Connected Devices at DEF CON
Independent Security Evaluators (ISE) today announced the formation of IoT Village, a new hacking event at esteemed information security conference DEF CON. IoT Village aims to drive improvement in so-called Internet of Things (IoT) devices, generally defined as traditionally analog devices that are now connected to the internet, by hacking them to discover security vulnerabilities. “IoT devices aggregate staggering amounts of data about consumers and businesses alike, and introduce harrowing new points of remote connectivity to previously lesser accessible environments,” explains Ted Harrington, one of the leaders behind IoT Village, “and so as a community we must work to solve the massive privacy and security issues that are introduced by connected devices.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3a2271d8ed&e=20056c7556
Browser Malware, Operational Burdens Driving Enterprises to Seek Effective Technology for Secure Web Access
LOS GATOS, CA–(Marketwired – May 5, 2015) – Spikes Security, the isolation security company, today announced findings of a new survey of IT and information security professionals, commissioned by Spikes Security and conducted by The Enterprise Strategy Group, Inc. (ESG) to assess cybersecurity risks related to web browsers, and organizational strategies to address them.
Seventy-five percent of respondents stated that breach prevention and detection is more difficult today compared to two years ago. Of those respondents, fifty-nine percent report that malware has grown more sophisticated over the last two years, despite the fact that 87 percent of all organizations surveyed have increased endpoint protection spending in the last two years. The problem is further complicated by the fact that 84 percent of organizations commonly allow multiple browsers to be deployed on endpoints, which are primary vectors for targeted cyber attacks. IT departments try to minimize the risks of these attacks: 85 percent report that their departments work to keep browsers and patches updated, and 84 percent monitor browser configurations for vulnerabilities. Unsurprisingly, 82 percent of respondents are also concerned about files containing malicious content downloaded via browsers.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=66cba2d6c9&e=20056c7556
As REITs Expand, Threat of Data Security Breaches Becomes Concern
A REIT should therefore consider the implementation of adequate security measures in advance of any breach. Indeed, simply putting into place a plan of communication about the risks and avoidance techniques about which employees should be aware may go a long way towards avoiding problems from ever arising. Similarly, having in place a plan of action in case of a breach may go a long way to limiting potential liability. These issues may be addressed by retaining the appropriate professionals who understand both the REIT industry and the risks of data security to limit any potential exposure.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=04bdff5c84&e=20056c7556
How to Create Security Awareness at Your Company
… we should focus on increasing security awareness in the workplace, from the ground up and from the top down: We should teach workers how to handle data to minimize the potential of its falling into the wrong hands. A couple of strategies.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6d532a63f2&e=20056c7556
Automating better compliance to meet new SEC requirements
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued an alert in April 2014 detailing steps RIAs should take to shield clients from cyberthreats. Since late 2014, the OCIE has been conducting a sweep to examine over 50 broker-dealers and RIAs on its radar. The office calls on firms to create an IT governance system, assess their own risk of data breach, protect clients’ assets, track how their technology interacts with third-party vendors and create written business continuity plans in case of disaster.
No. 1: Create an IT governance program.
No 2: Assess your firm’s risk.
No. 3: Protect your client’s data.
No. 4: Monitor your third-party technology vendors.
No. 5: Create a written business continuity plan.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=07def4c93c&e=20056c7556
Report: Top Endpoint Security Packages Perfectly Foil Drive-By Attacks
One effective way to thwart drive-by attacks is through analysis of a website’s reputation. With a good reputation system, bad websites can be blacklisted by an endpoint product. “It can take action right away just by looking at the URL,” noted NSS Labs’ Bhaarath Venkateswaran. “It’s stage one protection, so it blocks the site before it can drop anything on the user’s machine.” “Products without a great reputation system in place have had an issue with drive-by exploits,” said Bhaarath Venkateswaran, a practice manager at NSS Labs. “Products with great URL reputation typically did well in this test.”
Ever wonder what the chances are you’ll get your cellphone back if you lose it? WinMagic has, and it decided to experiment with the idea last month, during the week that infosec pros congregated at the RSA conference in San Francisco.
The worst place? A conference room — none of those phones were returned to their owners.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=64d0df9de8&e=20056c7556
How to conduct internal investigations outside the United States
Here is a 30-point checklist for American headquartered multinationals that want to adapt their domestic American investigatory tools for cross-border and for overseas local internal investigations. The starting point in our discussion is the assumption that American companies value their American-style investigatory practices and prefer to export them for overseas investigations, modifying them only as necessary under local law. And so the 30 points we discuss here track the four stages of any thorough American-style internal investigation
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fc808d6de1&e=20056c7556
France passes new surveillance law in wake of Charlie Hebdo attack
The new bill, which allows intelligence agencies to tap phones and emails without seeking permission from a judge, sparked protests from rights groups who claimed it would legalise highly intrusive surveillance methods without guarantees for individual freedom and privacy.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e3dc729d36&e=20056c7556
Plod wants your PC? Brick it with a USB stick BEFORE they probe it
Criminals, activists, and whistle-blowers have a new tool to help foil police by shutting down laptops before they are examined.
“USBKill” is a script that turns an innocent-looking thumb drive into a kill switch that, when unplugged, forces computers to shut down.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7f191e34c7&e=20056c7556
The Internet of Things Security Market Is Expected to Grow at a CAGR of 55% from 2015-2019: Technavio
The growing need for regulatory compliance has resulted in the unprecedented growth of the global Internet of Things (IoT) security market, which is expected to post a CAGR of 55% from 2015-2019, says research firm Technavio.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=11ecdbadee&e=20056c7556
Stop Sending Me Threat Intelligence in Email
To give a little background, I described the reasons Tripwire cares about threat intelligence and particularly STIX and TAXII in my article, Why We Should Care About STIX & TAXII.
The best part is, when your organization serves intelligence via TAXII, you’re joining global network of automated threat intelligence dissemination, because others can now import your feed and use it to form their own curated content streams. And all of that took me less time to explain how than the preparation of a typical Starbucks latte order – which your partners might want to treat you to, after you tell them you’ll no longer be clogging up their mail spools.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=75a1fe49c9&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=f9f84637ef)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)