[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions š
So onto the news:
Strengthening IIROC-Regulated Firmsā Risk Management – IIROC Publishes Resources To Help Dealers Increase Cybersecurity Preparednes
The Investment Industry Regulatory Organization of Canada (IIROC) today published two resources to help IIROC-regulated firms protect themselves and their clients against cyber threats and attacks.
The Cybersecurity Best Practices Guide provides an enterprise-wide risk-based framework of industry standards and best practices that IIROC-regulated firms can apply to heighten awareness and manage cyber risks in an evolving environment.
The Cyber Incident Management Planning Guide is a complementary tool for firms to prepare effective response plans for cyber threats and attacks.
These resources were produced by a leading security consulting firm, engaged by IIROC, which has worked with other Canadian financial services regulators on cybersecurity matters.
This initiative follows from previous work IIROC conducted including a survey of its membership, a table-top exercise, as well as input from industry representatives.
IIROC also reviewed approaches used by other domestic and global financial services regulators.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e25b1d26a7&e=20056c7556
Blue RidgeĀ® Networks and Venture Group Enterprises (VGE) Launch Sales of AppGuardĀ® Business
The biggest challenge in starting the conversation about the need for a SOC is justifying the cost to people who don’t understand the threat landscape or the value of being proactive rather than reactive about security.
According to the 2015 Verizon Data Breach Investigation Report, “In 60% of cases, attackers are able to compromise an organization within minutes,” and “75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours).” Waiting to react to a breach until after damage has been done will most likely lead to an extremely costly recovery.
We have all seen in the news the amount of money lost from data breaches.
Showcasing a few data breach examples from a source such as DataLossDB will surely make your point.
Step 1: Planning the SOC
Steps 2ā3: Designing and Building the SOC
Step 4: Operating the SOC
Step 5: Reviewing the SOC
With all these requirements, it is easy to see why SOCs might fail to fulfill their initial promise.
No SOC is perfect, but a healthy SOC can evolve for the better.
Efforts to maintain, review, and improve your SOC are fundamental to its long-term viability.
Remember, running a SOC is a journey, not a destination.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3bfab542bd&e=20056c7556
Cloud-Trustāa Security Assessment Model for Infrastructure as a Service (IaaS) Clouds
[Publication] The vulnerability of Cloud Computing Systems (CCSs) to Advanced Persistent Threats (APTs) is a significant concern to government and industry.
We present a cloud architecture reference model that incorporates a wide range of security controls and best practices, and a cloud security assessment model ā Cloud-Trust ā that estimates high level security metrics to quantify the degree of confidentiality and integrity offered by a CCS or cloud service provider (CSP).
Cloud-Trust is used to assess the security level of four multi-tenant IaaS cloud architectures equipped with alternative cloud security controls and to show the probability of CCS penetration (high value data compromise) is high if a minimal set of security controls are implemented.
CCS penetration probability drops substantially if a cloud defense in depth security architecture is adopted that protects virtual machine (VM) images at rest, strengthens CSP and cloud tenant system administrator access controls, and which employs other network security controls to minimize cloud network surveillance and discovery of live VMs.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b156abb3de&e=20056c7556
How fake users are impacting business ā¦ and your wallet
According to āThe Fraud Report: How Fake Users are Impacting Business,ā [PDF] a study released by TeleSign, a mobile identity solutions company, and the Ponemon Institute, a research institute, 82 percent of companies struggle with fake users.
They surveyed 584 U.S. and 414 U.K. individuals who are involved in the registration, use or management of user accounts.
Average value of user base of the respondents: $117 million.
That’s a lot of big targets for hackers to go after.
And they’re doing, well, everything.
According to the study, 30 percent of fake users are there to spam real site users.
Twenty-seven percent want to steal confidential information; 14 percent are after social engineering, 10 percent want information for phishing, six percent are hoping to take over an account, four percent want to create both chaos and disruption and credit card fraud, and three percent want to create fake reviews.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=35ec6347ca&e=20056c7556
Microsoft now taking on Man in the Middle ad injection and browser hijacking
Microsoft has decided that enough is enough and they are now focused on giving users back full control over their system.
The way they will do this is through their Adware objective criteria and the way their anti malware products identify and remove unwanted and malicious software.
Yesterday, Microsoft added a new criteria that will be used to identify these man in the middle attacks and any software violating this criteria will be added to their malware definitions with settings to detect and remove the offending software.
Microsoft will begin removing any software programs that violate the above criteria on 31 March 2016.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=30f187606f&e=20056c7556
Iām Yelling Tinba! Trojan Sets Sights on Singapore Banks for Holiday Season
IBM X-Force malware researchers have uncovered an aggressive malware campaign targeting banks in Asia.
The campaign, which uses the Tinba v3 banking Trojan to infect potential victims, has its sights set on business and corporate accounts held with nine major bank brands in Singapore.
While other countries are also targeted, the amount of Singaporean bank brands on the malware gangās list top the chart.
The country accounts for more than one-third of all targeted brands.
Tinbaās most common infection method is through the Angler exploit kit, with users lured via malvertising campaigns.
This infection approach is especially insidious because it can compromise popular, legitimate websites and serve poisoned ads.
The infection itself is a drive-by download that takes place automatically and without the user ever seeing it occur.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ef68616b07&e=20056c7556
NEW DELHI: Dirty streets aren’t the only thing the Narendra Modi government hopes to clean up. After ‘Swachh Bharat’ campaign, the Indian government plans to ensure the cleanliness in the online world too, with a ‘Digital Swachhata Kendra’ or cyber hygiene centre, for analysis of malware and botnet
NEW DELHI: Dirty streets aren’t the only thing the Narendra Modi government hopes to clean up.
After ‘Swachh Bharat’ campaign, the Indian government plans to ensure the cleanliness in the online world too, with a ‘Digital Swachhata Kendra’ or cyber hygiene centre, for analysis of malware and botnets that affect networks and systems.
“The pilot project is going on, and subject to approvals from the (IT) minister, we want to call it the Digital Swachhata Kendra,” a senior official of the Indian Computer Emergency Response Team (CERT-In) told ET.
The malware analysis and botnet cleaning centre was announced earlier this year, with an outlay of Rs 100 crore, and is being implemented by CERT-In as part of Digital India.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9209792b7c&e=20056c7556
Threats targeting operational technology in critical infrastructures highlight the need for Industrial Control Systems Security, according to Frost & Sullivan
SINGAPORE, Dec. 23, 2015 /PRNewswire/ — In line with the Industry 4.0 Mega Trend, diverse industries have accelerated the adoption of Internet of Things (IoT).
Industry players have been exploring ways to enhance their efficiency and competitiveness by harnessing the benefits of IoT and standardizing protocols relating to Internet Protocol (IP).
This movement toward digital transformation in manufacturing, utilities, transportation, and grids has highlighted the need for industrial control systems (ICS) security during the design phase.
New analysis from Frost & Sullivan, Asia-Pacific Industrial Control Systems Security Market [http://www.frost.com/sublib/display-report.do?id=P8A5-01-00-00-00&src=PR] (http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=16e3416770&e=20056c7556 [http://www.frost.com/sublib/display-report.do?id=P8A5-01-00-00-00&src=PR]), finds that the market earned revenues of US$162.9 million in 2014 and estimates this to reach US$1.18 billion in 2019.
The study provides detailed threat analysis, market forecasts from 2014 to 2019, as well as identifying the drivers and restraints.
In response to customers’ concerns, ICS security vendors are working on technologies that can be implemented without affecting the availability of existing equipment or workstations.
Meanwhile, industries are becoming increasingly aware of the cyber attacks affecting plants’ uptime.
It has been observed that some energy plants in Asia Pacific understand the potential cyber threats to their operations and have encouraged them to comply with ICS security guidelines such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC-CIP) or National Institute of Standards and Technology (NIST).
Governments in Asia-Pacific are also expected to give priority to security and mandate or recommend effective cyber security measures for their critical infrastructure.
For instance, the Japanese Government has been proactive in promoting ICS security.
It established the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which, in turn, established the Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR) Council to facilitate information sharing among critical infrastructure verticals.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=88d2eeb523&e=20056c7556
New Hunting Grounds for Hackers in 2016
WatchGuardĀ® Technologies, a leader in multi-function firewalls, revealed its full list of 10 new information security predictions for 2016.
WatchGuardās security research highlights new and emerging threat trends that include: advanced ransomware moving on to alternate platforms; an increase in targeted iOS attacks; and a new hunting ground for criminals to find data that leads to identity theft.
Ransomware Reaches New Platforms:
Social Engineering Keeps People as Your Biggest Threat:
SMB Security Breaches Go Back to Basics:
Malware on iOS Will Rise:
Malvertising Increases by Leveraging Encryption:
Automation Brings Security to the Next Level:
Cyber Criminals Go Back to School to Get Data:
Hijacked Firmware Attacks the Internet of Things:
Wireless āEase-of-Useā Features Expose the Next Big Wireless Flaw:
Hacktivists Hijack Broadcast Media:
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=de3621f615&e=20056c7556
Hyatt hotel chain warns customers to check accounts after malware discovery sparks hacking fears
The Hyatt hotels chain has warned customers to check their accounts for unauthorized charges after finding a malicious software in its IT systems.
The Hyatt hotels chain has warned customers to check their accounts for unauthorized charges after finding a malicious software in its IT systems.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7ec44226d9&e=20056c7556
Rely on cloud security policy — not tools — to protect AWS
AWS boosted its security management offerings at re:Invent, but the cloud provider’s shared responsibility model means developers must be attentive and implement policies.
At AWS re:Invent 2015, the cloud provider announced two new security services and improved security on an existing product.
The AWS Web Application Firewall is a new tool that’s useful, but hardly groundbreaking; the other two products squarely tackled the problem of overly complex security administration.
These new services complement AWS Trusted Advisor, which analyzes an environment to identify ways to improve performance, security and reliability to reduce cost.
Amazon Inspector audits security compliance by comparing the configuration of server instances, networks and storage against a knowledge base of hundreds of rules, looking for violations of best practices and standards like PCI DSS.
These include potential issues like allowing remote root logins, unpatched software with known vulnerabilities or leaving network ports unnecessarily open.
Inspector generates a prioritized report of each violation and suggests remediation steps.
AWS Config Rules is an improvement to AWS Config, which adds templates and guidelines using a mix of prebuilt AWS best practices and a user’s custom rules to flag errors in provisioning and configuring resources.
The service continuously monitors the environment to ensure resources remain compliant.
Example rules include mandating that volumes are encrypted, all Elastic Compute Cloud instances are tagged properly and that CloudTrail is enabled on all resources to log API calls.
One of the major announcements out of Microsoft’s AzureCon event was Azure Security Center, a service that consolidates security management and monitoring under a single portal.
For example, admins can quickly see if VM images and configurations are up to date, configured according to predefined standards or Microsoft guidelines and running necessary security software.
From the same portal, admins can also check on network and database settings like ensuring that virtual networks are members of the correct security groups and have properly set access control lists or whether SQL databases are encrypted.
Security Center also draws upon threat intelligence data Microsoft collects from all Azure deployments and notifies customers of unusual or threatening activity.
For example, Microsoft has built a reputation database of known bad sites, such as those part of botnet control networks.
Although not as ambitious as its competitors’ new services, Google has recently automated a key security task, vulnerability scanning, for its platform as a service App Engine customers.
The company’s Security Scanner “ā¦ crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible,” according to company documentation.
Security Scanner can detect the following vulnerabilities: XSS cross-site scripting), Flash injection, mixed content — fetching unencrypted HTTP content on an SSL HTTPS page — and usage of insecure JavaScript libraries.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9981133e40&e=20056c7556
Yahoo will now tell you if your account is attacked by government hackers
Yahoo has announced in a blog post that it will warn users if it thinks their accounts are being attacked by state-sponsored hackers. (We saw the news over on ZDNet.)
Yahoo joins a number of other tech companies aking similar measures as privacy issues becoming increasingly front-and-centre: Facebook, Google and Twitter all warn you if they think you’re being targeted.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=73a79675fd&e=20056c7556
Panda Security: New Malware Hit 230,000 Per Day in 2015
New malware will grow exponentially in 2016, with cyber-criminals increasingly taking to JavaScript and PowerShell to launch successful attacks against their victims, according to Panda Security.
It warned of an increase in infections via JavaScript and Windows admin tool PowerShell.
Pandaās prediction of an exponential rise in new malware is not quite in line with the predictions of some of its rivals, who see malware growth slowing.
Elsewhere, Panda predicted mobile and Internet of Things devices would be increasingly under fire next year.
When it comes to Android, cyber-criminals are likely to launch more threats designed to root the deviceāmaking it almost impossible for AV tools to stop.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f90871ece7&e=20056c7556
Java plug-in malware alert to be issued by Oracle
Millions of Java users are to be warned that they could be exposed to malware as a result of a flaw that existed in the software’s update tool.
Its distributor Oracle has agreed to issue an alert on both social media and its own site following an investigation by the US’s Federal Trade Commission.
“The security issues allowed hackers to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive information,” the FTC said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e752a8aa0c&e=20056c7556
[Imperva] Botnet trafffic in 2015 – the invisible force that wants to eat the Internet
[Imperva] Millions of Java users are to be warned that they could be exposed to malware as a result of a flaw that existed in the software’s update tool.
Its distributor Oracle has agreed to issue an alert on both social media and its own site following an investigation by the US’s Federal Trade Commission.
“The security issues allowed hackers to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive information,” the FTC said.
The firm’s figures for 2015 (measured between July and October on websites using the firm’s security) found that roughly half of all traffic was generated by automated bots, both good ones such as search engine spiders (19.5 percent) and bad ones such as spam engines and pricing scrapers as well as DDoS traffic (29 percent).
Only a fraction over half was initiated by a person clicking a mouse.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dddcfce12f&e=20056c7556
Four Security Issues All Business Contracts Should Address
A recent lawsuit provides a nice case study for how businessesā contracts can play a critical role in their cybersecurity strategy.
Before the court is this question: Who was responsible for maintaining cybersecurity safeguards for a bankās website, the bank or the company that designed and hosted the website?
The dispute in Travelers Casualty and Surety Co. of America v.
Ignition Studio, Inc. reveals that their contract did not address several important cybersecurity issues.
This case began with Alpine Bank, a financial institution, hiring Ignition Studio, a professional website design company, to design and host its website.
Ignition Studio designed and, apparently, hosted the website for Alpine Bank.
Some time later, hackers attacked the website and caused a data breach that caused Alpine Bank to incur $154,711.34 in expenses to comply with its data breach response obligations.
Alpine Bank made an insurance claim to Travelers.
Travelers paid the claim and then sued Ignition Studio to recover the amount of the losses.
Travelersā Complaint alleged causes of action based on negligence and breach of contract.
Four Basic Cybersecurity Issues Todayās Business Contracts Should Address
– What cybersecurity standards apply to the project.
Are there specific regulatory or industry standards governing either party, or other unique circumstances, that require certain cybersecurity standards?
What are each of the partiesā responsibilities for taking steps to ensure that the project is protected by adequate cybersecurity safeguards.
What steps will be taken.
How will they be implemented?
– What procedures are in place for verifying, whether by audit or otherwise, that the agreed upon cybersecurity safeguards are being used.
What are the remedies if they are not?
– What are the partiesā requirements for notifying each other in the event of an incident.
If one occurs, what are their respective obligations?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4042ce0f2e&e=20056c7556
Highlights of Europeās New Global Data Protection Law
After nearly four years of amendments and negotiations, the European Parliament, Council of the European Union and European Commission reached a political agreement on the proposed General Data Protection Regulation (GDPR) on December 15, 2015.
Pending a legal-linguistic review of the texts and final votes from the European Parliament and Council, the GDPR will be published in the Official Journal of the European Union and will take effect two years after such publication (expected Spring 2018).
This will change not only how Europe regulates personal data but how we as a global society regulate the Internet.
Additionally, the GDPR introduces significant penalties for breaches of the GDPR: up to 4 percent of an entityās total worldwide annual revenue.
Penalties will apply to all data processing by an establishment in Europe, regardless of where that processing takes place.
If an entity is established outside of Europe, the GDPR will apply to that entity if the entity is (1) offering goods or services in Europe (including free services); or (2) monitoring behavior in Europe.
Monitoring behavior may be broadly applied to include ordinary web analytics on any website, thereby bringing many websites potentially within the scope of the GDPR.
Other notable changes include the following:
– Harmonized Law.
– Broad Definition of Personal Data.
– Two Kinds of Consent.
– Children.
– No More Registration.
– Data Protection Officers.
– Data Protection Impact Assessments.
– Accountability and Records.
– One-Stop Shop and the European Data Protection Board.
– Broad Enforcement Rights.
– Quasi Class Actions.
– Profiling.
– Data Breach Notification.
– New Individual Rights.
– Data Protection by Design and by Default.
– Obligations on Processors.
– Restrictions on Data Transfers.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=16e0c02d46&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=335b06bf26)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)