[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions š
So onto the news:
Confide brings ephemeral messaging to desktop, with Mac and Windows clients
Like the mobile version, Confide for desktop allows users to send and receive encrypted messages, documents, and photos. In addition to being encrypted, text is blocked out with Confideās signature orange censor bars. Users can pull documents and photos directly from Google Drive, Dropbox, Box, and OneDrive into Confide, or drag and drop documents directly from their desktop into a message.
Though Confideās desktop and mobile versions are mostly the same, the one big difference is that desktop users can see more of their message at one time. For instance, on the mobile version, users have to run their finger along the margin of a message to reveal a text line by line. On desktop, users can mouse over a message to see its entire contents before responding. To hide the message again, users simply have to move the mouse off the message. Once a user replies to a text, the initiating message disappears, both from their inbox and Confideās servers. Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a4117b8e3f&e=20056c7556
Will HTTP/2 satisfy the need for speed and enterprise Web security?
HTTP/2 is defined for both HTTP and HTTPS, but HTTPS requires TLS 1.2 or later with some additional requirements that are specific to HTTP/2, including a cipher suite blacklist and support for the Server Name Indication extension, a protocol that allows a client to indicate which hostname it is attempting to connect to at the start of the handshaking process.
HTTP/2 is currently available in Firefox and Chrome for testing, using the h2-14 protocol identifier. Organizations that run highly visible websites should start trialing Google’s SPYD module for Apache to assess the likely effects of HTTP/2 on their own infrastructure once it’s officially formalized. There are also various servers and open source implementations available that can be used for testing. Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7137bafa27&e=20056c7556
In the API economy, API security moves to center stage
To ensure applications and data are as safe as possible, CIOs and development team leads need to consider what internal data to protect, and what functionality and data the organization is willing to expose right from the start, advises Merritt Maxim, senior analyst for security and risk at Forrester Research Inc., in Cambridge, Mass. Development of a public API should be accompanied by a risk assessment that considers all the systems that the API could affect, how a breach might impact the organization, and what controls and policies would be needed to prevent a breach or to minimize damage.
API management products not only often include a gateway function, they also serve up additional features such as authentication, analytics, hosting and billing options. The products are available from a wide range of vendors including 3scale, Akana (formerly SOA Software),Apigee, Axway, CA Technologies, IBM, Informatica, Intel Services, MuleSoft, Tibco Software and WSO2. Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d89706a93f&e=20056c7556
**How to Mitigate Third-Party Data Breach Risks **
The reality, however, is that many companies still donāt know which of their third parties has access to their personally identifiable information (PII), which is exactly what happened in the case of UPMC. To prevent similar breaches, all companies need a plan. The second step is to verify you have appropriate controls in place to regulate and monitor this access. This should include both IT and non-IT measures such as employee background checks, training, and specific user controls.
By implementing these steps for knowing and managing third party access across the enterprise and keeping a close eye on who has access to PII, you will be better able to mitigate the risk of breaches associated with not knowing an employee or partner had access to sensitive information. The key though, is taking the necessary steps now ā not when your organization is breached. Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=49dd76001b&e=20056c7556 (http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fcb8335559&e=20056c7556)
TRAVEL WARNING: British tourists warned of ‘high terror threat’ in Thailand
The Foreign Office said there was a ‘high threat’ of terrorism but stopped short of advising against travel to the Thai capital. Travel advice issued by the British Foreign Office said: “Local police have confirmed a bomb explosion at 7pm on 17 August 2015 at the Ratchprasong intersection next to the Erawan Shrine in central Bangkok. There are reports of casualties. Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5c5d2eba36&e=20056c7556
Keep these cyberthug holidays marked on your calendar
Software Support Retirement
End of Support Day
Zero-Day Patch Tuesday / Ida Pro Wednesday
Data Dump Day
Quarterly Earnings Day
Black Friday / Cyber Monday Tax Day Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=47f8100545&e=20056c7556
** The insider versus the outsider: Who poses the biggest security risk?**
An insider attack is one of the biggest threats faced by organizations since these types of hacks can be very difficult for IT teams to identify.
This is because an insider ā whether heās an employee or a contractor ā is already entrusted with authorized access to at least some systems and applications on a corporate network. It can be very hard for those in IT to decipher whether heās just performing his regular job tasks, or carrying out something sinister.
IT teams must continue to focus on protecting the perimeter, but should also air gap internal network segments and, in some cases, business units.
Thereās no good reason to let developers be on the same network as human resources or allow sales to access the web servers. IT should also bite the bullet and begin changing privileged credentials on a frequent basis, with unique and complex values for each credential.
Continuously rotating privileged credentials blocks the lateral movement on the network that hackers seek.
Remove permanent administrative access and allow delegated personnel to be escalated when they need it, as opposed to maintaining persistent access. To expand on this strategy, organizations that take the following six steps can significantly minimize the risks posed by both external cyber attacks and insider threats Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=30d07ccfe3&e=20056c7556
Combining analytics and security to treat vulnerabilities like ants
Bill Franks, chief analytics officer at Teradata said a business cannot afford to wait until it has experienced a breach to act, likening system vulnerabilities to ants in your house; once their origin has been isolated, sealing the cracks keeps the ants away.
With a spotlight on the banking sector, Franks said that the focus is shifting regarding what a company is looking for from its analytics requirements.
“When you get into fraud, companies are starting to do some additional security analytics over what they used to do.
One of the methods that is really getting a lot of attention, and being used broadly is network, or social network analysis, which is the linkages between places, or things. The analytics officer said that banks are doing more around trying to understand their customers better and marketing intelligently to a customer.
He said that it is not worth showing a customer a product that will not be of use to them, when there could be a multitude of other services that would be better suited to that person, “Is a credit card really the best thing for Bill, or is one of our other products more suited for him?” Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d10151d4d9&e=20056c7556
DDoS attacks double in Q2 as hackers switch tactics
DDoS attack traffic increased 132% compared to the corresponding quarter in 2014. The number of DDoS attacks more than doubled during the second quarter compared to last year, with one attack clocking more than 240Gbps and lasting for more than 13 hours.
The quarter recorded one of the highest packet rate attacks ever recorded across the Prolexic Routed network, which measured at 214 Mpps. Attacks of such ferocity can take down Tier 1 routers used by Internet service providers (ISPs).
Akamai Cloud Security Business Unit vice president John Summers said: “The threat posed by distributed denial of service (DDoS) and web application attacks continues to grow each quarter.
Home based unsecured devices have become an attractive target for attackers through the Universal Plug and Play (UPnP) Protocol to use as SSDP reflectors.
Most targeted sector was online gaming during the quarter being targeted in 35% of the attacks while China was one of the top three source countries for DDoS traffic. WordPress was most favoured platform for attackers to spread malware and launch DDoS attack, given the several vulnerabilities in the blogging platform. Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=eb24ef5909&e=20056c7556
4 Types of Cyber Attacks Targeting Manufacturers
If thereās been one significant change in Automation World reader interests in the past year or two, it would be around the issue of cybersecurity. Just a few years ago, whenever we posted content on the topic of cybersecurity, those articles received good levels of traffic, but nothing significant.
However, in the past year to 18 months, that has changed dramatically. Cybersecurity articles are now among the top content draws on our site. With that in mind, I connected recently with Chris Weber, co-founder of Casaba Security, to find out if anything has changed with regard to the standard issues surrounding manufacturing cybersecurity.
(Casaba Security is a white hat hacking firm that consults for the industrial, financial, technology and government sectors). It turns out that things have changed quite a bit recentlyāmost notably, around the types of attacks being aimed at manufacturing sites.
Considering the changing cybersecurity threat level faced by manufacturers, Weber cautioned manufacturing firms to be most concerned with four specific types of attacks. Those attacks are:
* Drive-by Downloads
* Cross-Site Scripting
* Watering Hole Attack
* Wrappers You should also plan for the worst. Weber says that every manufacturer should assume they will be breached. To deal with this, you should āsegment your network as much as possible so that if a hacker or malware gets in, they canāt easily move across the entire network. Encrypt critical data so that even if the attacker gets it, they canāt use it. Backup data, so that they also canāt ruin you by deleting or encrypting the data,ā he says. Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7e6ef2b7c8&e=20056c7556
Bruce Schneier: The cyberwar arms race is on
Seattle — LinuxCon is about Linux, cloud, and containers, but it’s also about security. In the past year, programmers have been reminded that merely being “open-source” doesn’t mean that your code is safe. Assuming you’re secure is a mistake.
Because, as security maven Bruce Schneier explained to the LinuxCon audience via Google Hangouts, we’re in a cyber-arms race. Schneier think the U.S. does a better job than most in determining who’s attacking us, but it’s not an exact science.
He cited, for example, that at first the FBI thought the Chinese government was behind the Office of Personnel Management (OPM) raid. Since then, he continued, the FBI has backed off on those claims. What makes the job of answering the million-dollar question, “Who’s attacking me?” even harder is not only are we “all vulnerable to these kinds of attacks … politically motivated attacks are happening far more often. Hacking is no longer driven by just profit motives.” For example, the U.S. defines two kinds of computer attacks:
Computer network exploitation (CNE), aka spying, which is their job, and Computer Network Attack (CNA), aka stealing and wrecking systems, which is the responsibility of the US Cyber Command. The problem according to Schneier is that “Every step is the same until it’s ‘delete .’ [CNA] or ‘copy . [CNE]. You can’t tell which is which until it’s too late.” So, today the problem is “We need good defense without being able to know who’s attacking us. We need fast, flexible responses to attacks. Attribution, who did it, isn’t that important in the short run.” Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=88737d11ed&e=20056c7556
Incident Response: More Art than Science
According to ESG research for example, (note: I am an ESG employee):
– 29% of enterprise organizations report an incident response weakness associated with performing forensic investigations to determine the root cause of a problem.
-28% of enterprise organizations report an incident response weakness associated with performing retrospective investigations (i.e. historical investigations) and remediation to determine the scope and sources of an outbreak.
-27% of enterprise organizations report an incident response weakness associated with analyzing threat intelligence to detect and respond to security incidents.
-26% of enterprise organizations report an incident response weakness associated with determining which assets (if any) remain vulnerable to future attacks. Recognizing the array of incident response weaknesses, the cybersecurity industry is now responding to this growing opportunity.
There have been a few acquisitions in this area like FireEyeās purchase of Mandiant and Proofpointās grab of NetCitadel. Burgeoning IR requirements is also creating the integrated cybersecurity orchestration platform (ICOP) market with products from the likes of CSG Invotas, Phantom Cyber, and Resilient Systems. Finally, firms like IBM, RSA, and Symantec are elbowing their way into the lucrative IR services market dominated by Mandiant.
Lots of people paint but only few produce masterpieces. As long as IR remains more art than science, we can expect a handful of experts and an abundance of amateurs. It will take a cooperative effort from the cybersecurity village to bridge this gap. Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2111239925&e=20056c7556
Four Lightning Strikes in Belgium Erase Google Customer Data
Google says four successive lightning strikes on one of its cloud infrastructure facilities in Europe last week permanently wiped out some customers’ data stored on disks.
Google called the incident “exceptional” and apologized to those affected. “Although automatic auxiliary systems restored power quickly, and the storage systems are designed with battery backup, some recently written data was located on storage systems which were more susceptible to power failure from extended or repeated battery drain,” Google said.
“In almost all cases the data was successfully committed to stable storage, although manual intervention was required in order to restore the systems to their normal serving state.” Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fbd625ec8b&e=20056c7556
Lenovo issues BIOS updates to fix security vulnerability
Lenovo has issued a BIOS fix for some of its machines, thus preventing a vulnerability which could allow potential hackers to gain control of a desktop or a laptop computer from the manufacturer.
The vulnerability was linked to the way Lenovo utilized a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs. It was first spotted by an independent security researcher, Roel Schouwenberg. Depending on the configuration of your BIOS, Lenovo has also put up instructions to help you install the update on your machine. The full list of all affected machines can be found on this link. Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f5199f48be&e=20056c7556
Cybersecurity Data Sharing Is Now Available to Law Firms
Law firms now have access to a platform that allows them to share data on cybersecurity threats anonymously. The Legal Services Information Sharing and Analysis Organization or LS-ISAO will announce its launch on Wednesday and will alert firms to potential cyber threats and vulnerabilities.
The Financial Services Information Sharing and Analysis Center, also known as FS-ISAC, the financial industry’s forum for cyber threat discussion, is providing guidance and support to the law firm service.
The Financial Services Information Sharing and Analysis Center, also known as FS-ISAC, the financial industry’s forum for cyber threat discussion, is providing guidance and support to the law firm service. To become a member of the law firm forum, firms must submit an application, pay an $8,000 membership fee and meet eligibility criteria. The primary criteria is that a firm have the majority of its lawyers in the U.S., Canada or the United Kingdom, Donaldson said, adding that could change over time. Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2d34702694&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=5435a60d71)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)