[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions š
So onto the news:
Cmstar Downloader: Lurid and Enfalās New Cousin
In recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom downloader used in cyber espionage attacks. This specific downloader, Cmstar, is associated with the Lurid downloader also known as āEnfalā. Cmstar was named for the log message āCM**ā used by the downloader.
Unit 42 is aware of threat actors using two toolkits ā MNKit and the Tran Duy Linh toolkit ā to produce malicious documents that exploit CVE-2012-0158 in order to implant Cmstar. The Cmstar downloader itself has several unique and interesting features, as well as substantial infrastructure overlap with other tools worth discussing.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f556ba385a&e=20056c7556
United States: Food Industry Continues To Face Data Privacy And Security Risk
In 2014, grocers and restaurants continued to be plagued by attacks leading to the theft of credit card information. Among others, Supervalu Inc. and Jimmy John’s both experienced intrusions in 2014, extending the string of intrusions and breaches in recent years that have hit stores and restaurants in the food and beverage industry.
2014 also saw developments in stores’ and restaurants’ liability for credit card data breaches. One of the most active areas involves whether those stores and restaurants hit by data beaches are liable to transactions processors and financial institutions for costs such as issuing new credit cards. Here, the news has been mixed for stores and restaurants.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=696b5db6b0&e=20056c7556
Dropbox secures data privacy-focused ISO 27018 standard
Dropbox has followed in the footsteps of Microsoft to become an early adopter of the privacy-focused ISO 27018 standard, which is used to signify how providers safeguard usersā cloud data.
Organisations that adhere to the ISO 27018 code of practice, therefore, must vow not to use this information in sales and marketing materials, and must promise to provide users with details about where there data is kept and handled and to notify them straightaway in the event of a data breach.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8e51348453&e=20056c7556
Why Visa’s Paying Banks More after Breaches
The American Bankers Association announced on May 14 that Visa had agreed to substantially increased reimbursements to community institutions, which typically have more difficulty than larger banking institutions when it comes to covering all of the costs associated with fraud detection, mitigation and card reissuance. Visa is moving to a tiered system, with higher reimbursements for all banks, based on annual card purchase volume.
The new tiered reimbursement system will pay smaller card issuers, such as community banks, more for the cards they have to reissue, the ABA says.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=427e4fc7de&e=20056c7556
Is the CISO job description getting out of hand?
CISO roles and responsibilities are built on impossible standards and unrealistic expecations.
Expert Joseph Granneman explains this trend and why enterprises need to reverse it.
Enterprises can empower the CISO through executive support and appropriate resourcing. The IT employees who manage daily operations do not have to report directly to the CISO, if the executives over IT place priority on CISO recommendations. This helps to allocate both human and financial resources to information security priorities. Information security will not be a priority to the organization if it is not a priority for the organization’s executive management.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=812abb9a29&e=20056c7556
Traditional security approaches produce too many false positives
According to 62 percent of IT professionals traditional security approaches produce too many alerts and false positives for them to handle.
When asked how they felt about security analytics, 70 percent of respondents indicated that they either have an investment in the technology or would have an investment if it weren’t for insufficient resources. Of those IT professionals already using security analytics, 95 percent were confident of their ability to detect a security issue before it had a significant impact.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c0b6e97789&e=20056c7556
Login system supplies fake passwords to hackers
ErsatzPasswords, a research project, aims to stop the cracking of password hashes
Called ErsatzPasswords, the system is aimed at throwing off hackers who use methods to “crack” passwords, said Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana.
Hackers “will still be able to crack that file, however the passwords they will get back are fake passwords or decoy passwords,” Almeshekah said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c31f0eb787&e=20056c7556
RBI Plans Cybersecurity Arm for Banks
The Reserve Bank of India has plans to set up a new IT subsidiary responsible for strengthening cybersecurity in the Indian banking sector.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ac78098423&e=20056c7556
7 must-do steps to ensure an IT crisis doesnāt become a PR disaster
1. Assemble your communications team
2. Keep management informed
3. Keep customers informed
4. Keep regulators informed
5. Delivery of message to the masses
6. Continue talking about actions youāre taking
7. Targeted communications
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=00e273d472&e=20056c7556
Nevada expands definition of PI for purposes of the state’s breach and safeguards laws
Nevadaās recently amended law will, among other things, create the first state mandate to encrypt online account credentials. Specifically, on May 13, 2015, Nevada Governor Sandoval approved a bill (āAB 179ā) to expand the definition of āpersonal informationā for purposes of the stateās security breach notification and personal information safeguards laws. In so doing, Nevada became the fifth state this year to amend (i.e., expand) the scope and obligations of its state breach law. Montana, North Dakota, Washington and Wyoming have also expanded their respective breach laws this year. Other states, such as California and Illinois, continue consideration of significant amendments to their respective breach laws.
Effective July 1, 2015, AB 179 will expand the definition of āpersonal informationā for purposes of the Nevada breach and safeguards laws to include an individualās first name or initial and last name in combination with the following new data elements:
– driver authorization card number; medical identification number or health insurance identification number; or
– user name, unique identifier or e-mail address in combination with a password, access code or security question and answer that would permit access to an online account.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=610912b0fb&e=20056c7556
‘Burnt-out’ security pros hide breaches, demand bigger budgets
Threat intelligence security vendor Alienvault released its āEthics, security and getting the job done’ report last week and it makes for an interesting read for anyone involved in security, from system and network administrators to CISOs and board members in control of information security budgets.
Approximately 25.7 percent tell the regulator (the ICO in the UK) and pay the fine, while nine percent adopt the attitude of āif nobody knows, just keep quiet’. More alarming still, is that one in fifteen (6.6 percent) will go and tell the media.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f02b87caf4&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=12b5147deb)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)