[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
Assuming that everybody has heard about Hyatt Hotels POS systems being hacked, and that BitCoin exchange was raided, so I’m not going track that.
Also, would it help to include a table of contents at the beginning of the email? This would make the email message longer, but might make it easier to jump to the sections you are interested in. Send an email to mail@paulgdavis.com if you think it is a good idea.
So onto the news:
Distinguishing Threat Intelligence From Threat Data
Threat intelligence feeds have become a major component of many organizationsâ cybersecurity diet.
A wide variety of security vendors offer up an equally wide assortment of threat feeds of the latest malware payloads, malicious domains, websites, IP addresses, and host-based indicators of compromise (IoCs).
The Verizon report found that 70-90% of malware used in breaches were unique to the organization that was infected.
Clearly, if a threat is only used once, faster signatures alone arenât going to solve the problem.
The heart of the issue is that we must begin to distinguish between intelligence and data.
Intelligence should make you better prepared to evaluate and solve new problems that you havenât encountered before.
Data, on the other hand, is akin to being given the answers to a test.
If the questions on the test are changed, then you are going to be in serious trouble.
The vast majority of information included in threat feeds falls into this latter category, where fine-grained indicators are mapped 1-for-1 to individual threats seen in the wild.
Even though the industry is tracking more and more indicators and delivering updates faster and faster, the approach suffers from the same challenges that have plagued signatures for years.
The attackerâs first punch always lands, and the defenders are a step behind.
The good news is that the industry is making strides in these areas.
Data science and machine-learning models are delivering entirely new ways of looking at threats.
Instead of taking a 1-for-1 approach where each threat is mapped to a signature or IoC, data science models can analyze threats en masse to learn what they all have in common.
Once again, the gating factor is not so much getting the data, but making use of it once it arrives.
And this is the key issue with threat intelligence.
Outside data doesnât create intelligence from thin air, but rather fuels the intelligence engine that you have.
If you get the order of operations wrong, you can end up spending a lot of money with little additional value.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dca56877e8&e=20056c7556
Lack of Proactive Fraud Risk Management and In-House Investigative Capacity Poses Significant Risk to Corporations, Finds Protiviti and Utica College Study
MENLO PARK, Calif., Jan. 14, 2016 /PRNewswire/ — According to a new joint study issued by global consulting firm Protiviti and the Economic Crime and Justice Studies Department at Utica College, companies are not well-positioned to prevent corporate fraud nor conduct investigations, creating a significant potential liability to their executives and shareholder value.
These limitations, observed across the majority of respondents, also lessen the likelihood that those companies will receive full cooperation credit from the U.S.
Department of Justice when seeking to negotiate a settlement stemming from a government investigation.
The survey also found that nearly half of the companies surveyed (48 percent) fail to conduct a formal fraud risk assessment on at least an annual basis and a troubling 27 percent have never implemented a formal fraud risk assessment.
Only a scant 6 percent of all respondents reported a high level of confidence in their organization’s vendor fraud and corruption risk oversight.
The 2016 White Collar Crime and Fraud Risk Study (www.protiviti.com/fraudsurvey) explores corporate crime and the fraud risk management practices used to combat that crime, based on a survey of more than 270 C-level executives, board members, audit directors and risk managers from a cross-section of industries.
“Good governance is mission critical, particularly as the demand from regulators and shareholders for more proactive fraud risk management programs intensifies and executives are held accountable,” said Scott Moritz, a Protiviti managing director and leader of the firm’s investigations and fraud risk management practice. “Despite the resource constraints that many organizations face, it’s essential, now more than ever, that they do away with the outdated reactive measures they have in place and embrace a proactive, preventative approach to fraud risk management.
We find that too many executives who have a ‘no fraud here’ mentality learn the hard way that their company has been a victim of white collar crime.”
While the majority of companies conduct ethics and fraud awareness training, fewer than half overall (46 percent) do so at the recommended frequency of at least once annually, and more than half of all organizations lack a fraud detection program (though the numbers are better for large companies).
Additionally, while most respondents indicated that their company has a telephone hotline, website or electronic mailbox for employees to report fraud, only 13 percent regularly conduct surprise audits.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c0d58494e0&e=20056c7556
The changing face of the security industry
While many organizationsâ executive-level security positions have historically been filled by those with law enforcement or military experience, there is a growing contingent of young security industry professionals who come from very diverse backgrounds and possess a wide variety of skill sets.
Some have even decided to make security a first career option and with the increasing number of courses and degree programs offered by universities in physical and cybersecurity, the industry and the opportunities presented to young professionals have gained more exposure than in years past.
Still others, who never imagined their career paths would lead them in a direction even remotely related to security, seem to fall into the industry by happenstance.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7fe7136128&e=20056c7556
Companies fear breaches more than ever: only 4% are cutting security spending
As security budgets remain stable or grow for almost all organizations, security managers reported significant obstacles in fully realizing the benefits of the Security Information and Event Management (SIEM) solutions because of lack of staff expertise (44.4%) and inadequate staffing (27.8%).
Some 56.9% of enterprises devote more than one professional to their SIEM implementation and monitoring.
Some 41% of respondents cited âhackers with malicious intentâ as their top security concern over the past 90 days, followed by navigating compliance requirements (37%).
As a consequence, 23% of security managers noted that compliance requirements were a key driver in getting projects approved, second only to risk assessment, cited by 25% of respondents.
According to a RAND Corporation study, the cost of managing cyber-security is expected to increase 38% over the next 10 years to almost $100 billion as companies spend more on cybersecurity tools. Worldwide spending on cybersecurity has passed the $70-billion-a-year threshold and is growing 10% to 15% annually. Many chief information security officers believe hackers may gain the upper hand two to five years from now, requiring stronger and more innovative defenses.
CIOs are not entirely certain of all the methods malicious hackers use to infiltrate systems, and businesses do not want to disclose their safety measures.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=64d729bba9&e=20056c7556
Hackers promise sophistication, subterfuge â even sex, say experts
2016 is going to be an exceptional year for hackers, according to Israeli cyber-security experts.
From âstandardâ exploits like targeting bank accounts of individuals and businesses to more advanced attacks like hacking homes â via smart-home networking technology â cyber-security firms can expect plenty of opportunity for growth in the coming year.
And cyber-security is even going to get sexy in the coming year, the experts said.
Among other social engineering exploits to gain access to valuable log-in information, âweâll see more attacks like the âdamsel in distress,â a targeted attack aimed at male IT workers that used fake social profiles of attractive females who were posing as new hires and requesting âhelp,’â dfp adslot
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=79bf413cb6&e=20056c7556
Yet, according to a recent Forrester Research report on the state of network security, the largest portion of the security technology spending budget in 2015 was on network security with an expected increase to this budgetary category in the years to come.
Yet, according to a recent Forrester Research report on the state of network security, the largest portion of the security technology spending budget in 2015 was on network security with an expected increase to this budgetary category in the years to come.
âLooking ahead, 41% of decision-makers expect to increase spending on network security at least 5% from 2015 to 2016, with 9% of security decision-makers planning to increase network security spending more than 10%,â the report said.
Too often Steven has seen companies very surprised to learn that they have many more attack surfaces than they expected. âIf a legacy system encompasses the databases, server, and client, some people believe that they are only dealing with one untrusted connection to the browser.â
The risk for that enterprise is in backups, disaster recovery, incident response and any other outsourced unedited, unencrypted, and unaudited connections.
Paula Musich, research director, NSS Labs said, âHistorically, network security has been focused on ports and protocols, and it has relied on the ability to scan network trafficâtypically at the perimeter of the enterprise network.â
Application security encompasses web application firewalls, database security, email server security, browser security, and mobile application security, Musich continued. âYou could also include static and dynamic testing of application code, although that is more often done on custom enterprise applications before they are released to production,â she said.
Security is neither a network nor an application problem, itâs a risk management problem.
The solution, said Ledingham, is prioritizing based on the sensitivity of data or applications in conjunction with understanding how high of a risk is actually present.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4fee6dae47&e=20056c7556
Cyber Crime Costs Projected To Reach $2 Trillion by 2019
âCrime waveâ is an understatement when you consider the costs that businesses are suffering as a result of cyber crime. âEpidemicâ is more like it.
IBM Corp.âs Chairman, CEO and President, Ginni Rometty, recently said that cyber crime may be the greatest threat to every company in the world.
From 2013 to 2015 the cyber crime costs quadrupled, and it looks like there will be another quadrupling from 2015 to 2019. Juniper research recently predicted that the rapid digitization of consumersâ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.
DF Labs, an incident and breach response firm based in Lombardy, Italy, provides a report that helps companies to customize and develop their own cost-per-breach formula.
Cyber crime is fueling the market for cybersecurity products and services, which is expected to grow from $75 billion in 2015 to $175 billion by 2020.
The cyberinsurance market is also getting a boost from cybercrime â and projected to grow from $2.5 billion in 2015 to $7.5 billion by 2020.
Article Guest Contributor
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=04a7251afc&e=20056c7556
5 biggest cybersecurity concerns facing CIOs, CISOs in 2016
Carl Leonard, a principal security analyst for Raytheon’s Websense cybersecurity software unit, offers insight into the most serious threats CIOs and CISOs are likely to grapple with this year
1. Hacks of mobile payments and other non-traditional payment systems.
2. From Heartbleed to heartache.
3. New top level domains pose phishing pitfalls.
4. Presidential elections are prime âhacktivismâ time.
5. Cyber insurance better aligns with cybersecurity postures.
Given the threats outlined, cybersecurity defense appears to be, yet again, an exercise in Sisyphean boulder pushing.
But Leonard strikes an optimistic tone, noting that CIOs can shore up their assets by building a team of trusted advisors, including internal and external partners.
These teams will share the labor for monitoring technology developments and introducing new technologies, as well as the practices of cyber criminals, and evolving legislation.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7dd0552783&e=20056c7556
The Disconnect Between Zero-Day Exploits and Security Audits and Penetration Tests
The complexity of the threats we face combined with the complexity of the typical network environment all but guarantees there is just no way to uncover all possible vulnerabilities and attack vectors related to advanced malware.
Furthermore, the inherent nature of zero-day exploits makes those vulnerabilities unknown to begin with.
Itâs hard to protect against something that hasnât yet happened.
You most certainly need to keep performing your traditional security testing, but you also have to combine it with proven security controls that are layered across the enterprise.
This often includes cloud access security broker technologies controlling data going out to the cloud and advanced malware protection at the network perimeter, as well as modern malware protection, adequate software patching and even data loss prevention at the endpoints.
If anything, ongoing security testing can serve to create a false sense of security â you think everything is OK when itâs actually not.
There is no best way to combat this threat.
Itâs all of these security controls working in unison across the enterprise with the proper oversight that can truly protect the organization from zero-day exploits.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a80bcbe717&e=20056c7556
FDA proposes cybersecurity guidance for medical devices
(Reuters) – The U.S.
Food and Drug Administration on Friday issued draft guidelines to medical device makers on how to protect patients from cybersecurity vulnerabilities in their devices.
“Cybersecurity threats to medical devices are a growing concern,” the agency said in a statement. “The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices.”
The guidance covers how companies should monitor devices once they have been cleared for marketing.
The agency previously issued guidance for companies still in the development stage to help inform design choices.
The proposed guidance will be open for public comment for 90 days, after which the FDA will issue final guidance.
The agency is holding a public cybersecurity workshop at its headquarter in Silver Spring, Maryland on Jan. 20-21.
The workshop will focus on “unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=91a8cce096&e=20056c7556
The Right Questions: What CIOs should be asking in the event of a security breach
Cyber security has a heavy technical element associated with it, as attackers are constantly looking to take advantage of application and operating system vulnerabilities to execute their payload.
Because of this there is a temptation, when faced with board-level responsibility for information security, to focus on these complex technical elements that underpin the attacks.
Indeed many vendors will spend large amounts of time educating CIOs on technical concepts such as “log normalisation”, “dynamic analysis” and even “the kill-chain”.
My advice to all CIOs is to focus on the technology as required.
Of course a background in the subject is very helpful when dealing with security analysts and incident responders.
But the CIOs first questions should be to the board and senior management.
Which information assets are valuable to the organisation.
Is technology a fundamental part of the business that enables the company to communicate with suppliers and customers.
How important is the company’s reputation and does it need to be protected?
1) How did the attacker / malware / breach occur?
â¨2) What did they do?â¨
3) How do we get back to business as usual?
â¨4) How do we make sure this never happens again?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f78838c8af&e=20056c7556
Colorado Springs Hopes to Be a National Cybersecurity Hub With New Center
Colorado Gov.
John Hickenlooper announced that the National Cyber Intelligence Center in Colorado Springs will be housed in a former manufacturing plant near the University of Colorado at Colorado Springs campus.
The center will help businesses, nonprofits and government agencies combat and recover from cyberattacks, help public officials and bureaucrats learn more about cybersecurity and conduct research into cybersecurity threats.
Next steps.
A leadership team of about 15 executives from industry, nonprofits, government agencies and higher education assembled by the Colorado Technology Association and governor’s office will determine structure of the center, when it will open, who will operate it and other details.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d9deef88e9&e=20056c7556
Knowledge of four state-level agencies requesting metadata access could damage state-federal relations: AGD
The Australian Attorney-General’s Department has said that releasing the names of four departments requesting access to metadata stored by telecommunications companies could harm the relationship between the agencies and the Commonwealth.
Initially filed in November, the FOI request originally asked for correspondence from organisations seeking to gain access to stored telecommunications metadata.
The department denied this request on practical grounds, stating that 2,661 pages spread across 288 documents were related to such a request, and that 45 third parties needed to be consulted before the information could be released.
No data-breach notification laws are in place, despite the start of the metadata retention regime, and the earliest that Australia will now have a working data-breach notification scheme is set to be sometime in 2017, after the AGD has released its exposure draft of amendments to the Privacy Act.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=57d47176ae&e=20056c7556
800 risk experts from 40 countries identify the top global business risks
While businesses are less concerned about the impact of traditional industrial risks such as natural catastrophes or fire, they are increasingly worried about the impact of other disruptive events, fierce competition in their markets and cyber incidents.
These are the key findings of a survey on corporate risks by Allianz Global Corporate & Specialty (AGCS), which surveyed over 800 risk managers and insurance experts from more than 40 countries.
Business and Supply Chain Interruption (BI) remains the top risk for businesses globally for the fourth year in succession.
However, many companies are concerned that BI losses, which usually result from property damage, will increasingly be driven by cyber-attacks, technical failure or geo-political instability as new ânon-physical damageâ causes of disruption.
In the U.S., BI was cited by 39% of respondents as the top business risk, followed by Natural Catastrophes (33%) and Cyber (32%).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=02a65dd0d7&e=20056c7556
Program Languages That Generate Most Software Security Bugs
The worst three languages that generate the most software security bugs are ColdFusion, PHP, and Classic ASP.
These languages fared worst in the Veracode analysed as well as OWASP tests, revealing that they have the most security bugs of all other languages.
With more than 70% of content management is done using systems like Drupal, Joomla, and WordPress, all of which are PHP-based, the report should open the eyes of companies using such content management systems and scripting languages.
Over the last 18 months, Veracode has studied more than 50,000 applications in popular languages like PHP, Classic ASP, .NET, C and C++, Java, JavaScript, iOS, Android, Ruby, ColdFusion, and COBOL.
The report generated based on this analysis reveals troubling findings regarding some languages.
For instance, 86% of applications that were written in PHP showed, at least, one XSS vulnerability.
Moreover, 56% of those showed, at least, one SQL injection bug.
SQL injection bug results are even more worrying for Classic ASP and ColdFusion users, for 64% of the applications written in these two languages also revealed, at least, one SQL injection bug.
Similar findings from OWASP test results show that ColdFusion, PHP, and Classic ASP, in that order, are the worst languages when it comes to software security.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3ad757fd21&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=358d8c5a3b)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)