[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Security spending will reach $75.4b worldwide: Gartner
Worldwide security spending will reach $75.4 billion this year, a 4.7 percent increase over last year, according to the latest forecast from technology research firm Gartner.
“Interest in security technologies is increasingly driven by elements of digital business, particularly cloud, mobile computing, and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks,” Elizabeth Kim, research analyst at Gartner said.
According to Gartner, increased legislation continues to be a driver for security spending in some countries, suggesting the increase in spending is also driven by government initiatives and the coverage of high-profile data breaches that have been revealed throughout the year.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6cab9f1585&e=20056c7556
EU-US data-sharing contradicts protection rules and breaches privacy
The advocate general of the European Court of Justice has said the mass transfer of EU user data to the US by companies such as Facebook contradicts EU data protection laws and represents a breach of the fundamental right to privacy.
In a preliminary and non-binding assessment ahead of a full ruling, the Luxembourg courtâs advocate general Yves Bot recommended that the court invalidate the existing âSafe Harbourâ rules.
The final verdict on this case, expected as early as next month, could have far-reaching consequences for EU-US diplomatic and trade relations, as well as ongoing talks on a transatlantic free-trade agreement.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a87ea8f685&e=20056c7556
South Korea data breach penalty rules revised to encourage voluntary reporting
The Korean Communications Commission (KCC) recently revised its data breach penalty rules to allow reductions in fines of up to 30% if companies voluntarily report a data breach to the regulator.
The stated objective is to incentivize businesses to come forward of their own accord in relation to data breaches.
Following the amendment to the Act on the Promotion of Information Communication Network Utilization and Protection of Information which became effective in November 2014, businesses are required to notify customers immediately and report to the KCC within 24 hours in the event of a data breach.
That amendment introduced statutory base fines of up to 3% of a companyâs annual revenue and court-sanctioned compensation of up to 3 million Korean won ($2,640) to consumer victims of a data breach, with further compulsory fines of up to 50% of the statutory base fine based on the scale and duration of the breach, and also discretionary adjustments (up or down) of these additional compulsory fines to take account of the seriousness of the breach and the attitude and responsiveness of the company.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=19349ff4f3&e=20056c7556
The Sweet 16: Data Points Needed for a Cyber Incident Data Repository and High Value Cyber Risk Analysis
The new white paper on Establishing Community-Relevant Data Categories in Support of a Cyber Incident Data Repository is the second in the CIDAWGâs white paper series.
It identifies 16 data categories that would support the kinds of analysis that could help insurers enhance their existing offerings while assisting CISOs, CSOs, and other cybersecurity professionals with their complementary cyber risk mitigation missions.
The white paper builds on the CIDAWGâs previous white paper, released in June, on the Value Proposition for a Cyber Incident Data Repository.
Conceptually, such a repository would aid insurers in delivering policies, at lower rates, to âbest in classâ clients â thereby contributing to and effectively informing the overall corporate risk management strategies of those clients.
Such a repository also would support a host of advances for cyber risk management professionals generally, including enhanced cyber risk data and trend analysis, bolstered in-house cybersecurity programs, and improved cybersecurity solutions, products and services.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b9f4d93aa3&e=20056c7556
Security leaders need to explore before they can exploit
As security leaders, how do we earn our position in the executive suite.
How do we ready ourselves for the position?
Kevin West, CEO of K logix (Twitter, LinkedIn), invests time interviewing and profiling CISOs.
He recently shared some findings in âFeats of Strengthâ (link to download).
Some key findings from the work include:
– Most CISOs average 13 months in the role
– The bulk of CISOs are in their first âleadershipâ role
– Only 15% of CISOs report to the CEO
As an industry, weâre struggling with the CISO position.
Weâre working to define what it is, required competencies , reporting structure, and the like.
Kevin shared a trait observed in successful CISOs.
They âenable the team to execute on the business plan — with a technical mindset.â
A security leader needs to rank assets and efforts to create value.
To protect the right things means knowing what matters.
Accurate insights and understanding lead to better decisions.
Instead of a call to âthink like an attacker,â act like a leader.
Embark on your own exploration.
Learn about your organization and the people that comprise it.
Explore how the business works.
Identify protections and areas for improvement.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ab18a162ca&e=20056c7556
What is domain shadowing and how can enterprises defend against it?
According to Cisco Talos researchers, domain shadowing is “the process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner.” It is a variant of a fast-flux domain name attack.
In an attack that includes domain shadowing, an attacker will log into the domain register’s website to set up a new subdomain registered to a new server IP address.
By registering many subdomain names and IP addresses, attackers are able to avoid blacklists, but it does not allow attackers to bypass reputation-based filters.
Domain shadowing can then be used to embed a DNS name in the malware, which could be used to download the malware from a compromised webhost or dictate where a compromised system should send stolen data.
There are some steps enterprises can take, however.
For example, IP addresses could be checked against a reputation-based blacklist to see if it resolves to multiple names or IP addresses, and then heuristic behavioral analysis could be used to identify which potentially malicious network connections require further investigation.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f6b4056088&e=20056c7556
Cyber Security Benchmark Highlights Legacy Product Failures
PALO ALTO, Calif., Sept. 23, 2015 /PRNewswire/ — In August 2015, with funding support from the US DHS, the Open Web Application Security Project (OWASP) published an open source Benchmark Project on application security accuracy.
The Benchmark Project allows organizations to measure the effectiveness of application security solutions by providing an application with over 21,000 test cases across 11 different attack categories.
It also uses code that looks vulnerable, but isn’t, to check for false alarms.
The new Benchmark Project exposes the failings of the Static Source Code (or SAST) and Dynamic Web Scanning (or DAST) product categories.
The best performing products in those groups scored a discouragingly poor 33% accuracy on the Benchmark, demonstrating that companies relying on them are left vulnerable to hackers.
That’s alarming given the importance of application security, and business dependence on those products.
“By understanding what a tool can and cannot do, the OWASP Benchmark Project has the potential to positively stimulate improvements in software security assurance tools,” said Kevin Greene, Program Manager, Cyber Security Division, United States Department of Homeland Security.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8c1fb41211&e=20056c7556
Ad-Fraud Prevention Firm Starts Ranking Mobile Exchanges by Fraudulent Traffic
d-fraud prevention firm Pixalate is hoping to shine a light on the problem with its new Mobile Seller Trust Index, which it describes as an independent, standardized rating system of ad exchanges’ fraud activity.
Pixalate evaluated more than 125 supply-side platforms.
The 10 exchanges that got the best ratings include Amobee, Rubicon, Big Mobile Group, Millennial Media Exchange and AOL Marketplace.
Other exchanges might not be so approving.
The full index, which Pixalate plans to update each month, can be seen here.
The company introduced a similar index for display ad quality in the desktop and mobile web in December.
The need to sort out mobile ad fraud, particularly in apps, is becoming more critical as mobile users and advertiser alike flock to apps.
Marketers will spend $20.8 billion to reach consumers via mobile apps in 2015 but only $7.9 billion on mobile browsers, according to projections by eMarketer.
When mobile spending surpasses desktop advertising next year, eMarketer says, app ad dollars will reach nearly $30 billion, compared with the mobile web’s $10.8 billion.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2f187b5c52&e=20056c7556
Facebook launches new ECC key encryption options
On Tuesday, the social media giant announced support for OpenPGP’s standard elliptic curve cryptography (ECC) public keys, including NIST curves P-256, P-384, and P-521.
The public key support builds upon Facebook’s launch of OpenPGP key support in June.
The support permits end-to-end encrypted notification emails to be sent from Facebook to your linked email accounts.
Facebook’s additional encryption service offers “high levels of security for relatively smaller key sizes,” according to the tech giant, which also removes some of the complication of using and configuring PGP keys.
ECC keys, widely adopted in modern cryptography, can now be posted on your profile and Facebook will use them to further encrypt email notifications.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bb4449b8c9&e=20056c7556
What Companies Want In A CISO
Joyce Brocaglia founder of the Executive Women’s Forum and CEO of Alta Associates joins the Dark Reading News Desk at Black Hat to discuss closing the gender gap in security and what companies are looking for in a chief information security officer.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=adf689ab3a&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=5e349efeef)
** Update subscription preferences (http://paulgdavis.us3.list-manage2.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)