[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
So Im going to be working on a table of contents for the top so look out for that. Im the meantime, I made a minor tweak over the weekend to make it easier on the eyes. I hope you like it.
So onto the news:
Push for cyber crime alliance[India]
Silchar, Jan. 29: At a time when the number of cyber crime incidents is on the rise, there is the need for a binding agreement among all countries to combat such activities, according to globally recognised defence and cyber security analyst Subimal Bhattacharjee.
Delivering a lecture on Cyber Crime and its Security here today, Bhattacharjee said the rapid rise in cyber crime incidents has necessitated the need for an immediate agreement among all countries. “Cyber crime is not limited to a particular country.
One can hack a Facebook profile or an email account in Argentina by sitting in India.
However, the hacker can spoof his identity and show the hacking was done from China.
In order to address this, we need a consensus among all countries and an international body to monitor such activities,” he added.
The lecture was organised by the All Cachar Karimganj Hailakandi Students’ Association.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bd0c057222&e=20056c7556
How Incident Response Fails In Industrial Control System Networks
Worries of eventual cyberattacks on utilities as well as chemical and other industrial sites have intensified in the wake of the recent attacks that led to a power blackout in western Ukraine.
But the key element in mitigating the damage from a cyberattack — an incident response plan — is something that many industrial sites just don’t have in place.
Conventional incident response procedures don’t neatly map to the ICS/SCADA environment, either.
according to Chris Sistrunk, senior ICS security consultant for Mandiant/FireEye
Industrial sites under NERC/CIP (North American Electric Reliability Corporation’s Critical Infrastructure Protection) and Chemical Facility Anti-Terrorism Standards (CFATS) regulations have IR plans, he notes, but there are still many other ICS/SCADA organizations that do not fall under those regs and lack IR plans, including some in the water, manufacturing, and oil & gas industries.
Uptime and availability — think electricity and other disruption-averse services — are king in the ICS/SCADA space, as is physical (life and limb) security.
He advocates network monitoring here, using Netflow packet capture, for example.
If industrial networks aren’t monitoring for the latest threats, they may not know for sure if they’ve been hit by a Black Energy or Havex malware attack, for example.
Ralph Langner, founder of Langner Communications and a renowned Stuxnet expert, says many industrial firms don’t have a firm grasp on their network and system environment.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=983d167299&e=20056c7556
Feds say ‘Oops!’ in anti-hacking deal
An update to an international accord potentially opens everyone to attacks, something the US government didn’t figure out until after it was signed.
Earlier this month, Damballa helped Norwegian law enforcement identify a hacker who was taking control of computers remotely and using them to access online accounts where gamers store characters and resources that can be sold for real money outside of a game.
Sitting in Damballa’s office in the US, researcher Loucif Kharouni accessed the malicious software used by the hacker as it sat on a Norwegian server.
After Kharouni figured out who authored the software, the hacker, whom the company declined to name, was arrested in Norway.
Both the US and Norway are participants in the Wassenaar Arrangement, so under the new rules, Damballa would need to get permission in the form of an export license from the Commerce Department’s Bureau of Industry and Security (BIS) to conduct this kind of research.
There’s no fee for the application, but it currently takes an average of more than 21 days for the bureau to process an application.
Critics say the government should just scrap the updated rules and instead spend its time investigating hackers and bad companies.
Still, Rep.
Jim Langevin (D-RI), who co-signed a letter with Rep.
Michael McCaul (R-Texas) lambasting the Wassenaar Arrangement, said in an interview he didn’t see how the US could abide by the deal.
His solution is to go back to the drawing board in Wassenaar, Netherlands, where the idea originated.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fcff8918c8&e=20056c7556
United Airlines breached by hackers with ties to China
(Bloomberg) â The hackers who stole data on tens of millions of U.S. insurance holders and government employees in recent months breached another big target at around the same time: United Airlines.
The previously unreported United breach raises the possibility that the hackers now have data on the movements of millions of Americans, adding airlines to a growing list of strategic U.S. industries and institutions that have been compromised.
Among the cache of data stolen from United are manifestsâwhich include information on flights’ passengers, origins and destinationsâaccording to one person familiar with the carrier’s investigation.
That data could be cross-referenced with stolen medical and financial records, revealing possible avenues for blackmailing or recruiting people who have security clearances.
In all, the China-backed team has hacked at least 10 companies and organizations, which include other travel providers and health insurers, says security firm FireEye.
Besides passenger lists and other flight-related data, the hackers may also have taken information related to United’s mergers and acquisitions strategy, one of the people familiar with the investigation said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a27a4c62cc&e=20056c7556
Could an Open-Source Approach Make Cars Hacker-Proof?
Prior to the recent advent of in-car connectivity, software has been used for years to control engines and transmissions, and automakers typically have relied on third-party suppliers that use proprietary software to control or monitor these components.
One solution being proposed is to move to an open-source approach to automotive software.
Ironically, a few months before the VW scandal broke, the EPA opposed measures that could have helped expose code like the “defeat device” software the automaker allegedly used.
The agency believed that allowing access to the software in vehicles would potentially allow car owners to alter it so that more emissions would be produced.
While organization like the Linux Foundation, through its Automotive Grade Linux platform and GENIVI, have pushed for an open-source approach to in-car infotainment, the same principles could be applied to vehicle code at large to help prevent hacking.
And given the rapid pace of self-driving technology and the lines of code that will be requiredâ100 million or more for a modern vehicle, compared to 60 million in all of Facebook or 50 million in the Large Hadron Colliderâperhaps it’s time for automotive software to become more transparent and therefore more tamper-proof.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=69a464675d&e=20056c7556
HSBC online banking taken down in denial-of-service attack
HSBC’s online services were taken down today following a distributed denial-of-service (DDoS) attack that, it claims, it has successfully fought off.
The attack has left HSBC customers unable to conduct online business, with the bank advising customers to call its contact centre or to go into a branch instead.
HSBC claims that no personal details have been compromised – assuming that the attack was not a cover for anything more malicious.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=91b67071fb&e=20056c7556
Email Phishing Attacks Estimated To Cost $1.6M Per Incident
Email-based spear phishing attacks cost companies an estimated $1.6 million per incident, according to a recent study by security company Cloudmark.
Spear phishing attacks are also on the rise, reports the Anti-Phishing Working Group (APWG), which released an Internet security report in December illustrating how both consumer-facing phishing attacks and business-targeted spear phishing attacks steadily increased over 2015.
Luckily, the marketplace to combat spear phishing is accelerating in tandem with cybercrime, with Enterprise software developer Fujitsu recently presenting new technology that detects email attacks in real-time at the Symposium in Cryptography and Information Security in 2015.
Powered by artificial intelligence, the product sends real-time alerts for any email or behavioral anomalies that might correlate to an email attack.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=079316edec&e=20056c7556
http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cf87a8d57f&e=20056c7556
Attaching a device via USB to a company computer can increase the effectiveness of a cyber attack â it’s just a case of getting into the office to do it.
According to Peter Connolly, chief executive of Toro Risk Solutions, a gang can bribe a cleaner to do just that for as little as ÂŁ80 ($116).
In 2013, Barclays lost ÂŁ1.3 million ($1.8 million) in a hacking attack after an insider fitted a device that allowed a gang to access accounts.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0e3188e424&e=20056c7556
Namibia is top target for cyber-crooks
Namibia was the country most targeted by cybercriminals during December 2015, after being second-most attacked in November.
Check Point Software Technologies reveals that seven African countries appeared among the top 20 most-attacked nations (out of 142).
These include Malawi (6), Cameroon (8), Tunisia (11), Mauritius (12), Botswana (13) and Nigeria (17).
Kenya appears at number 44 while South Africa dropped from 63rd position in November to 67th in December.
Check Point also reveals that the risk of an organisation being infected by malware increased by 17% in December, while the number of active malware families increased by 25%.
As with previous months, Conficker remained the most prevalent malware type, accounting for 25% of all known attacks during the period â significantly higher than second-placed Sality, which accounted for 9% of attacks.
Conficker, and the third-placed Necurs variant, focus on disabling security services to create more vulnerabilities in the network, enabling them to be compromised further and used for launching DDoS and spam attacks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1371bdca28&e=20056c7556
New Series ‘Truth and Power’ Explores The Intrigue Of Online Life
Incumbent cable channel Pivot launched in 2013 with the express goal of connecting with millennials through good, old fashioned, pay TV.
Episode two explores malware and premieres on Pivot tonight at 10 p.m.
ET, while episode three, which explores the origins of private companies selling spyware to regimes, airs next Friday.
We spoke to Knappenberger about the show and the need to have a serious conversation about cryptography and encryption without fear-mongering.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5bfd14abff&e=20056c7556
In era of data breaches, businesses need strong document policies
A great resource for business owners is ARMA International, a non-profit professional association and authority on managing records and information.
ARMA developed and published principles to foster general awareness of information governance standards.
You can learn more about ARMAâs âGenerally Accepted Recordkeeping Principles,â which detail how to properly retain information as organizations are creating and storing more information than ever before, mostly in electronic form.
In addition to document retention, the shredding of documents containing sensitive employee and customer information has become a high priority because of identity theft, data breaches and stolen trade secrets and client information.
Markâs most important: Identity theft and data breach can bring a business down.
Review and update your document retention and destruction policy each year and communicate your policy to employees and customers.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4a15ec5542&e=20056c7556
U.S. Utilities Examine Their Insurance Protection After Ukraine Grid Cyber Attack
Security experts, insurance brokers, insurers and attorneys representing utilities told Reuters that the Ukraine attack has exposed long-standing ambiguity over which costs would be covered by insurance in various cyber attack scenarios.
âItâs getting a little competitive just to get a carrier quoting your policy,â said Lynda Bennett, an attorney with Lowenstein Sandler, who helps businesses negotiate insurance.
Some insurers have cut back on cyber coverage in response to the increase in the number and types of breaches, she added.
American International Group Inc., for example, will only write cyber policies over $5 million for a power utility after an in-depth review of its technology, including the supervisory control and data acquisition (SCADA) systems that remotely control grid operations.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ca8d986495&e=20056c7556
Security: Time Indian Firms Start Looking From Insurance Prism
As more enterprises adopt digital technologies, one of the consequences is that more of the data that they have becomes vulnerable to security breaches and attacks.
But is the answer to protect against such breaches and attacks limited to only bolstering the security infrastructure.
Perhaps not.
Even in India, surveys indicate that enterprises are warming up to the idea of a cyber-insurance.
According to a survey, 72 percent of the companies in India are willing to consider a cyber-insurance policy if a suitable product at a proper price is available.
As awareness and understanding increases, itâs just a matter of time before suitable products are available at the right price points.
If the financial services firms can come up with structured financial products like mortgage-backed securities and derivatives based on those, surely coming up with an insurance product to cover the risk against a possible data breach should be a walk in the park for these firms.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7de05067db&e=20056c7556
Cloud security culture a building block for today’s businesses
As organizations today move more data to the cloud, it’s important to cultivate a cloud security culture and enlist a CISO, a new report shows.
“If you hire the wrong information security leader, they can put security above all else and work can grind to a halt,” said Lillie, CIO at Equinix Inc., a Redwood City, Calif., provider of data center space. “They can become the productivity prevention unit, the PPU.”
Security is at the forefront at Equinix, which operates 145 data centers on five continents, Lillie said.
But in an “innovate or die” business climate, so is helping business users move the company forward — and for Equinix and many other organizations today, that means giving them access to the power, capacity and flexibility of cloud computing.
Cloud innovation thrives, Lillie said, if security is folded into everything the company does.
According to a new report by nonprofit Cloud Security Alliance and cloud security vendor Skyhigh Networks, a “culture of security,” often with support from a chief information security officer, or CISO, is needed to ensure a company has vision and vigilance in equal measure.
Lillie has a multilayered approach for cultivating a security culture.
Part of it involves a “fleet of tools” — cloud access security brokers, software that protects cloud services; identity management tools; mobile device management; and laptop system protection, to name a few.
But just as important as technology is bringing on security team leaders who can communicate the value of crafting and executing a security strategy, and can build relationships across the teams they’re going to work with — from applications to infrastructure to business departments.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a99dff8fb0&e=20056c7556
Data Security in the Financial Industry: Five Key Developments to Keep An Eye on in 2016
According to a 2015 report on threats to the financial services sector, 41% of financial services organizations polled had experienced a data breach or failed a compliance audit in the previous year, and 57% listed preventing a data breach as their top IT priority.
Reflecting the ever-increasing awareness of threats to financial data security, 2015 also saw a number of regulatory enforcement actions and legislative efforts directed at financial institutions.
Below we outline some of the most significant developments of the past year.
1) SEC Enforcement Action
2) New York Department of Financial Services Cybersecurity Regulatory Framework Proposal
3) FINRA Report on Cybersecurity Practices
4) New European Union Data Privacy and Security Regulations
5) EMV Credit Card Payment Standard
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4b2fe01cfe&e=20056c7556
An interactive graphical history of large data breaches
Built with IIB’s forthcoming VIZsweet data visualization tools, the World’s Biggest Data Breaches visualization combines data from DataBreaches.net, IdTheftCentre, and press reports to create a timeline of breaches that involved the loss of 30,000 or more records (click the image below to go to the interactive version).
What’s particularly interesting is that while breaches were caused by accidental publishing, configuration errors, inside job, lost or stolen computer, lost or stolen media, or just good old poor security, the majority of events and the largest, were due to hacking.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8f309c2aeb&e=20056c7556
Differently Than the U.S.
How much control do you have over how companies collect and use your information.
And what mechanisms are in place to protect your data against misuse?
If you are in the United States or Europe, the answers vary, which has led to tensions between officials and disputes with companies.
In the United States, a variety of laws apply to specific sectors, like health and credit.
In the European Union, data protection is considered a fundamental right, which can have far-reaching consequences in all 28 member states.
All the talk about data privacy can get caught up in political wrangling.
But the different approaches have practical consequences for people, too.
[The article shows the different data protections for the follow scenarios:]
That One Bad Night
Surprise.
Your Bank Has Been Hacked
All Those Clicks Add Up
My Child Has Fallen for Video Games
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cd5535535d&e=20056c7556
ENISA Threat Landscape 2015, a must reading
ENISA has issued the annual ENISA Threat Landscape 2015 a document that synthesizes the emerging trends in cyber security
The experts at ENISA analyzed the Top 15 cyber-threats, identifying the threat trends, trends of threat agents and trends for emerging technologies, the report also includes for each cyber-threat a list of mitigation controls.
Malware remains the principal cyber-threat in 2015, they have increased in the number of instances detected and the level of sophistication, albeit mobile malware may not have reached expected levels of growth.
Web based attacks and web application attacks are in second and third place, no change has been observed respecting the previous report.
Web based attacks include malicious URLs, compromised domains, browser exploits and drive-by attacks.
âSpam is in a declining trend since some years now, its importance in the malicious arsenal remained at least almost equal: new methods of âweaponizationâ of this threat make it a serious threat.
During the reporting period we have assessed that spam is an effective means for malware distribution.
Ca. 6% of overall spam volume included malicious attachments or linksâ states the ENISA Threat Landscape 2015 report.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=64aa82deca&e=20056c7556
Most large organizations will have a Chief Data Officer by 2019
The race to drive competitive advantage and improved efficiency through better use of information assets is leading to a sharp rise in the number of chief data officers (CDOs).
As a result, Gartner predicts that 90 percent of large companies will have a CDO role by the end of 2019.
CDOs will face a number of challenges, to the extent that only 50 percent will be successful by the end of 2019.
One challenge is that the role will be new in most organizations and most new CDOs will be learning on the job.
They will have the difficult task of creating an information strategy with relevant metrics that tie the activities of their team to measurable business outcomes.
Many CDOs already report high levels of change resistance, particularly from the IT department, over the control of information assets and their governance.
Successful CDOs, however, are doing a great job of working with the CIO to lead change and overcome resistance.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b581ff1ac7&e=20056c7556
Kroll Bond Rating Agency Releases Research Note: Cyber Insurance – Behind the Numbers
NEW YORK–(BUSINESS WIRE)–Kroll Bond Rating Agency (KBRA) released a research note outlining its views on the inconsistencies of public disclosures in describing the market for cyber insurance.
The note also touches on key factors for insurers to ponder if they are considering entry into this line of business.
In the cyber insurance market, KBRA has observed heightened demand for coverage, which is challenging for insurers due to the lack of clarity regarding exposure data.
KBRA expects to see improved data metrics due to regulatory requirements from NAIC, additional information requests from rating agencies, and new product vendor applications.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d95a28815b&e=20056c7556
Software-defined networking tutorial to improve security
In this software-defined networking tutorial, we examine SDN’s unique vulnerabilities and experts weigh in with advice about protecting your clients against attacks.
In this IT security tutorial, we examine IT security associated with SDN technology, which separates a network’s control plane from the data plane, enabling administrators to manage traffic and program network devices from a centralized control console.
Brad Medairy, senior vice president and executive at Booz Allen Hamilton’s Strategic Innovation Group, which serves clients across the defense, commercial and civil markets, said information needs to be prioritized under an SDN infrastructure.
Channel partners and their customers must keep in mind that the most important information in the enterprise must be protected.
For example, financial data, personally identifiable information and protected health information should be maintained and stored in a compliant manner that adheres to government and industry regulations.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=709cc89daf&e=20056c7556
More CISOs looking to recruit cyber-security trainers than leaders, analysts, engineers or pen testers
The headlines from the Harvey Nash/PGI 2016 Cybersecurity are not unexpected: “Half of all boards lack real understanding of cyberthreat” [one might same the same of supposed cyber-security “professional” with their obsessions over technology rather than strategy].
I was not therefore surprised to see that half of all respondents (CISOs) were looking for security architects.
I was, however surprised to see that more (42&) are looking for those to run in-house training and awareness programmes than for leaders (39%) or analysts (34%).
Barely 21% were looking for pen testers but 78% had outsourced this, so that finding should not be surprising.
Nut only 13% had outsourced training (lower than for anything other than incident management or security strategy).
Given than outsourcing decisions were claimed to be based on getting guaranteed access to subject matter expertise or lack of in-house skills, this implies a serious lack of awareness of the shortage of those competent to organise security training and awareness programmes.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=82f0883fe4&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage2.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=db0b168a66)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)