[From the desk of Paul Davis – his opinions and no-one else’s]
So onto the news:
Zero-Days Remained Unpatched an Average of 59 Days
The newly released Internet Security Threat Report (ISTR) – which examines emerging trends in attacks, malicious code activity, phishing, and spam – reveals that 2014 was a record-setting year for the exploitation of zero-day vulnerabilities, and it took software companies an average of 59 days to implement patches, up from only four days in 2013.
“Attackers took advantage of the delay and, in the case of Heartbleed, leapt to exploit the vulnerability within four hours. There were 24 total zero-day vulnerabilities discovered in 2014, leaving an open playing field for attackers to exploit known security gaps before they were patched,” the researchers said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=08a9bbd55f&e=20056c7556
3 Ways Attackers Will Own Your SAP
The SAP security specialists with Onapsis, today, reported that in a study of hundreds of SAP installations examined by their researchers, over 95 percent were exposed to vulnerabilities that could lead to the full compromise of an organization’s business data and processes. Run by a quarter of a million customers worldwide, SAP products form the backbone of critical technology infrastructure of 87 percent of Global 2000 companies. And yet, SAP remains a cybersecurity backwater for most infosec programs.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9391d940af&e=20056c7556
Breach Detection, Prevention Harder Than 2 Years Ago Despite Security Spending: Survey
According to a survey of 200 IT and information security professionals, 75 percent agreed that detecting and preventing a breach has become harder. Fifty-nine percent said malware has grown more sophisticated during the last 24 months and presents fresh challenges – even though the vast majority (87 percent) said they have increased endpoint security spending during the same period.
The survey also revealed that 54 percent felt that it was impossible to keep up with the amount of alerts related to endpoint security threats and breaches.
A particular focus of the survey was the subject of browser-based breaches. Eighty-one percent of organizations that experienced a security breach within the past 24 months that tied it to an attack that was introduced into the network via a browser classified the time it took to remediate the breach as “very significant” or “significant.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=401d2dece0&e=20056c7556
Protecting the Protectors: Putting Network and Security Admins First
Starting with the obvious, it is critical to make sure that all administrators’ devices remain full patched and secured. While it may seem counter-intuitive, it is not unheard for administrators to spend hours and days patching the organization’s servers, but forget to patch their own devices.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b926aee5fa&e=20056c7556
Port monitoring critical to detecting, mitigating attacks using SSL
Statistics show HTTP traffic is down and HTTPS traffic is up. Additionally, 69% of the top 50 most-visited sites and 100% of the top 10 most-visited sites use HTTPS.
Asplund showed a slide of a fake Dyre SSL certificate next to a real Google SSL certificate used in July 2014. The fake certificate lists Google’s location as Miami, Fla. — across the country from its real Mountain View, Calif. home.
A security person may notice this, Asplund said, but “the vast majority of users wouldn’t have a clue what it meant.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=20a09a2867&e=20056c7556
More serious security flaws found in Lenovo computers
Lenovo has issued a patch for a flaw in its computers, which researchers say could allow hackers to replace trusted apps with malicious versions.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0800ccadd7&e=20056c7556
Phishing in the C-Suite: 96% of executives vulnerable to attacks
MOUNTAIN VIEW, Calif., May 6, 2015 /PRNewswire/ — According to a recent survey, 96% of executives failed to tell the difference between a real email and a phishing email 100% of the time* (source: McAfee Phishing Quiz, Intel Security). This is among the key findings featured in Harpooning Executives: How Phishing Evolved into the C-Suite, a joint eBook written by Intermedia and Intel Security. Released today, this eBook highlights how phishing has evolved into “whaling” and why executives are optimal targets.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fafe02a23f&e=20056c7556
CYREN Report: Q1 2015 Sees 51 Percent Increase in Phishing Sites
MCLEAN, Va., May 6, 2015 /PRNewswire/ — CYREN (NASDAQ: CYRN) today published its Q1 2015 Cyber Threat Report. In the report, CYREN security analysts note a steep rise in phishing URLs, tracking 3.86 million at the end of March compared to 2.55 million at the start of the year – a 51% increase. Download the full report at http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7394104bc1&e=20056c7556. Five of the top 10 Web malware in Q1 2015, as analyzed by CYREN, consist of exploit kits that scan the user’s system for unpatched vulnerabilities, then deliver the appropriate payload to begin compromising the victim’s computer.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a286c1173e&e=20056c7556
Here’s What a Cyber Warfare Arsenal Might Look Like
A major part of the DoD’s cyber strategy is to bolster the Pentagon’s “cyber mission force,” which the department began forming in 2013 to carry out its operations in cyberspace. Although the unit will not be fully operational before 2018 the unit is expected to have nearly 6,200 military, civilian and contractors—divided into 13 teams—working across various military departments and defense agencies to “hunt down online intruders,” Defense Secretary Ashton Carter said last month during a lecture delivered at Stanford University.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d8dbcba1a8&e=20056c7556
The impossible task of counting up the world’s cyber armies
A new document, the US Department of Defence Cyber Strategy, does throw some light on US military thinking and capabilities, and it may be the start of greater openness about cyber-warfare capabilities across the world.
It will be made up of 133 teams: 68 teams of ‘cyber protection forces’ will defend key military networks and systems, while 13 ‘national mission teams’ aim to defend broader US interests against cyberattacks of significant consequence. A further 27 ‘combat mission teams’ and their associated support staff will support commanders by generating “integrated cyberspace effects” in support of their military operations. Another 25 support teams will help with analysis and planning for national mission and combat mission teams.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=495f56f480&e=20056c7556
Hackers likely to target IAM warns SailPoint
… identity-as-a-service (IDaaS) is a particularly big attack surface, he said, because it is connected via the internet to a gateway on-premise.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=39f7d3f5e2&e=20056c7556
‘Beware the angry IT worker’: Firms must control data access or risk a repeat of Sony hack
“A person who is working in security operations can actually be involved on the darker side,” he told ComputerworldUK. “It is possible to have this job and then to take on another more adversarial role. If someone is disgruntled – if they are fired from their position or don’t feel like they are being rewarded – and they still hold the administrator user name and password, they can still do some considerable damage to the organisation.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6ab1105411&e=20056c7556
Addressing Cyber Attacks and Data Breaches in Supplier Contracts – Part 1: Contractual Protections With Respect to Data Breaches
Given the unrelenting, it seems, news reports of cyber attacks and data breaches affecting customer records and data, the issue of what are the appropriate contractual provisions that should govern data breaches in a contract between customers and suppliers remains timely, sticky, and constantly-evolving. Below are several observations regarding contractual language and protections with respect to data breaches, where a supplier has access to and/or could cause or allow a customer’s data to be breached.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c0c669592f&e=20056c7556
The changing cybersecurity profession reflects a more diverse workforce
Far from being a geeks’ profession composed of dedicated techies, over half of the UK infosecurity professionals surveyed did not come through traditional computer science degrees and 12 percent had done majors in social sciences, business or history. Furthermore, those recruiting entry-level to mid-level professionals ranked soft skills such as communication skills and analytical skills far above traditional techie attributes.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2e00162788&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=6079c4311f)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)