[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So Im going to be working on a table of contents for the top so look out for that. Im the meantime,
So onto the news:
Combating state-sponsored cyber attacks
Government enterprises in the UAE can combat state-sponsored cyber-attacks that target sensitive information in various ways, said an industry expert.
Here is a more detailed look at what government agencies should do to keep nation-state attackers at bay.
– Decrypt and Inspect SSL Traffic
– Fortify Web Applications against Attacks
– Use Virtual Private Networks (VPNs) to Secure Data
– Monitor and Audit Access to Sensitive Data
– Train Employees on Security Best Practices
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4e44058fd3&e=20056c7556
Australian business is âlow hanging fruitâ for cybercrime.
According to Deloitteâs Australian based cyber expert James Nunn-Price and former FBI Cyber expert Mary Galligan now with Deloitte, itâs a whole new ballgame.
She was concerned that there were no mandatory reporting laws and few companies report issues like ransomware to the Australian Federal Police.
Her strong message is donât pay, strengthen your defences, and let someone else be the weak kid on the block.
Access control was another major issue especially in relation to the bring your own device (BYOD) movement that may save companies money in capital expenditure but can open up major security holes.
For example, use of the same password for a BYOD device and a corporate log-in was a major security issue.
Galligan spoke on the main issues in cyber security.
Nunn-Price spoke about Deloitteâs global Cyber Intelligence Centre and how it had become a combined effort across more than 20 such centres to stay ahead of trends.
Of course the bigger you are (and that probably describes Deloitteâs client list) the more risk you have and the more you stand to lose.
He was concerned that Australia was one of, if not the, main target in the Asia Pacific region as it was âcatching up with the rest of the world.â Cybercrime knows no geographical boundaries as has protected Australia in the past.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d2f4ac6537&e=20056c7556
Professor Hay earns $500,000 data security contract
The Defense Advanced Research Projects Agency (DARPA) has awarded Assistant Professor of Computer Science Michael Hay nearly $500,000 to participate in Project Brandeis, a new program that challenges researchers from across the country to develop systems that facilitate data analysis while preserving privacy.
Hayâs research is part of a $2.8 million team effort led by scientists at UMASS Amherst.
In the months ahead, the team will attempt to build systems that achieve what cryptographers have defined as differential privacy: query results that are statistically true but not precise enough to allows hackers to link real people with otherwise anonymous data points.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=60e29be779&e=20056c7556
New Govt. Bill To End Secrecy On Big Data Breaches
Many Australian companies are failing to report ransomware – which locks users out of their computers until they pay a fee – and instead perpetuate the practice by coughing up the cash, according to financial services firm Deloitte.
CERT Australia, the national computer emergency response team and a partner agency in the Canberra-based Australian Cyber Security Centre, says it responded to 11,733 cybercrime incidents in 2014-15.
However failure to report cybercrime and data breaches may soon no longer be an option for the bigger companies and agencies in Australia, with Federal Parliament due to debate a government bill in coming months that – if passed – would make notifications compulsory for companies with an annual turnover of more than $3 million.
The draft Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 will also apply to any company currently subject to the Privacy Act.
Small businesses at this stage are exempt.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=83dd8d434e&e=20056c7556
Almost one-half of UK firms still unaware of their obligations under the new EU data protection laws
Organisations should be under no illusion.
The EU General Data Protection Regulation (GDPR), which will come into force in 2018, represents a major change in the way that personal data must be managed for any company that does business in or with the EU.
They will need to make sure they are able to delete all of a consumer’s personal data quickly and completely from their systems on request.
There will also be mandatory reporting of serious data breaches and organisations will be expected to know what data might have been affected – within 24 hours if possible.
And those firms found to be in breach of the regulation face hefty fines – up to four per cent of global turnover.
Just over half said they were aware of the GDPR but only 20 per cent were well prepared.
A further 26 per cent said they have just started preparing for the regulation.
However, a total of 44 per cent were unaware or only vaguely aware of the new rules.
This is in keeping with a recent survey by US consultancy TRUSTe across the US and Europe, which found that half of the companies were still oblivious to the changes.
gdpr-fig2A quarter of those polled said they will need to invest in new infrastructure or software to comply with the new rules, especially in areas such as security, data governance and identity and access management.
A further 53 per cent said they were unsure whether such investment will be necessary or not.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d72dec8fbd&e=20056c7556
Top 4 Compliance Mistakes and How to Prevent Them
What issues can creep up when it comes to industry compliance, and how can enterprises work to solve these problems.
Here are three top compliance mistakes companies make.
1. Not Fully Understanding Industry Guidelines
2. Ineffectively Evaluating Third-Party IT Service Providers
3. Placing Too Low a Priority on Physical Security
4. Failing to Review Compliance and Protection Processes
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a78fd3ee42&e=20056c7556
5 reasons you need to hire a Chief Privacy Officer
Businesses are increasingly relying on data, but they’re overlooking another key aspect of data: privacy.
In order to keep up with the growing regulations surrounding data privacy, it may be time to hire a Chief Privacy Officer.
A study by cloud-based data protection provider Druva on the “State of Data Privacy in 2015” asked 214 people worldwide at companies with 100 to 5,000 employees how they are tackling data privacy.
Of those surveyed, 81 percent reported their business had government privacy compliance and regulation requirements to meet.
However, 93 percent of companies reported that they found it difficult to ensure data privacy and 71 percent reported challenges with keeping up with regulations and compliance around privacy.
Here are five reasons, according to Freji, why you should seriously consider hiring a CPO in the coming year.
1. Changing business landscape
2. Europe’s General Data Protection Regulation
3. Mandated CPO
4. Rising number of high-profile breaches
5. Avoid a PR nightmare
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0da749af0e&e=20056c7556
Insurance innovation to battle cyber threats
JWK Solicitors, has announced the launch of its âCyber Risk Insuranceâ service designed to protect businesses against the growing threat of a cyber-attack.
Government figures also suggest that of the 52 per cent of businesses who believe they have existing cover against a cyber breach, less than 10 per cent actually do.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=597c5e4132&e=20056c7556
The Cybersecurity Talent You Seek May Be In-House
Casey OâBrien, executive director and principal investigator with The National CyberWatch Center, says security managers should tap the talents of network administrators, system administrators, and programmers because they have strong foundational skills in their specialty areas.
The goal of all security programs should be to have that group of experts, like Navy Seals, who can create the playbook, who understand the threat and can put in place the necessary procedures and tools to defend their organizations, says Adam Vincent, CEO of ThreatConnect, developer of a comprehensive threat intelligence platform used in security operation centers globally.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=538f546552&e=20056c7556
Five rules to conduct a successful cybersecurity RFP
Last week was sadly remarkable for the cybersecurity industry: former New York city mayor Rudy Giuliani, compared cybersecurity to cancer, while famous security expert and journalist Brian Krebs pointed to serious problems at Norse Corporation, a prominent cybersecurity startup recently backed by KPMG VC investment of $11.4 million.
Last year, many friends of mine – security professionals and managers within different organizations — complained about their disappointments with RFPs for purchasing various cybersecurity products or services.
An open and transparent bid is probably one of the most efficient ways to get the best price/quality ratio available on the open market.
However, the invisible hand may not always work properly for the cybersecurity market due to its complexity and dynamically changing environment.
Nevertheless, a cybersecurity RFP can be successful, if we take into consideration few simple rules:
– Make sure that the RFP is aligned with your corporate risk management strategy
– Be precise and detailed in every requirement
– Request technical demonstration and testing in your own environment
– Price shall not outshine the expertise and experience
– Donât forget about Service Level Agreement (SLA)
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ae5a3bb88a&e=20056c7556
Attackers also spend an average of 70 hours per attack going up against “typical” IT security infrastructure, 147 hours battling “excellent” IT security infrastructure and give up completely after 209 hours.
The majority of cyber attackers are motivated by money, but make less than $15,000 per successful attack, according to a survey of hackers in the U.S., U.K. and Germany released yesterday by the Ponemon Institute.
The average attacker conducts eight attacks per year, only 42 of which are successful.
In addition, only 59 percent of the successful attacks result in any financial payout.
The majority of attackers have increased their use of hacker tools by 18 percent, and 64 percent say that the tools are “highly effective.”
On average, attackers spend $1,367 a year on these tools.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9a9df51c33&e=20056c7556
Seven security cultures that can help or hurt your organization
Culture of Reporting
Cultures of reporting could be a security silver bullet.
If everyone who identified a security problem reported it, and if the organization investigated and addressed every reported problem, security could change overnight.
Unfortunately, this is expensive.
Such cultures tend to exist only in places where lawsuits and losses from whistleblowing have shown fixing problems, even when costly, is inevitably cheaper than ignoring them.
Awareness Culture = Informed, engaged people are always valuable, in security or anywhere else.
Evidence-based (Security) Management – Evidence-based cultures collect empirical and historical data, analyze them, and make decisions based on the results, even if the results are unexpected or undesirable.
FUD-Driven – FUD-driven cultures are the opposite of evidence-based cultures.
Cult(ure) of Technology – When organizations worship it as the single best security strategy, things go awry.
Checkbox Culture – Compliance is not security.
Checkbox cultures are taking heat in the wake of big breaches, where the victims looked good on paper but not on the ground.
Culture of Arrogance – If a culture of reporting could dramatically improve security, there’s nothing like arrogance to ensure that every objective will be twice as far off, every success is twice as difficult, every failure is twice as painful.
If you see your organization in any of these seven types, consider what it means for your security strategy over the coming year.
Will your culture help you.
Or does it presage another 12 months of struggle, frustration, and maybe even an incident putting the organization in an increasingly common and unwelcome spotlight?
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c8c042b7ac&e=20056c7556
Does attribution matter to security leaders?
I know Iâve been on both sides of the issue.
Sometimes the value of a concept — in this case, attribution — is lost in the debate.
Then I met Levi Gundert (LinkedIn, Twitter), VP of Information Security Strategy, from Recorded Future. Leviâs career as an information security professional includes unique operational and leadership experience in government (U.S. Secret Service), threat intelligence providers (Team Cymru and Recorded Future), and multi-vertical Fortune 500 enterprises (IBM, Cisco Systems, Union Bank, and Fidelity Investments).
Our discussion revealed when and how attribution matters. It starts by getting the definition right. You pointed out that the definition of attribution matters. What does a security leader need to consider when it comes to attribution?
The definition is critical. Attribution is often mis-understood to mean the identification of an individual or group with associated real name, address, and other personally identifiable information. In contrast, within a business context, attribution is obtaining general intelligence to address the âwhoâ and âwhyâ of nefarious activity.
Expand on âmotivation informs methodology.â How does this help a security leader?
General attribution informs senior business leadersâ critical decisions, especially during an incident.
Beyond crisis moments, security leaders need to effectively communicate general attribution information to help executives and the board meet the daily challenges of information security program resource allocation.
How important is context?
Itâs essential. Weâve been discussing the value of attribution during and after an attack, but itâs also a critical proactive exercise to understand adversaries before they impact the business.
This is one facet of threat intelligence, which is the act of formulating an analysis based on the identification, collection, and enrichment of relevant information.
Does the board care about attribution. Should they?
The board does care about attribution. They want the full story which includes âwhoâ and âwhy.â Lacking attribution leaves stakeholders with doubts.
What does a security leader need to do to get this. What can someone do today to start building the capability — and boost the value of their leadership?
Obviously the first step is defining the goals and objectives for attribution along with repeatable metrics.
Itâs the TTP identifications that help peer teams within information security.
This type of proactive identification compliments a risk/audit framework approach because threat actors and their temporal behaviors accelerate the learning cycle.
Instead of waiting for the next version of ISO 27001 or NIST Cyber Security Framework (CSF) to be released, companies can still map their progress to the framework while also making incremental improvements, especially in the âpreventionâ and âdetectionâ framework phases, based on near real-time attacker attribution.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=53563ef8b4&e=20056c7556
The Future of Security: Isolation
With the latest advances in virtualization technology, the notion of isolation for security control holds tremendous promise.
Isolation through virtualization has the wonderful property of being able to effectively block all malware attacks without the need to understand the attack, detect the attack, or recognize the signature of the attack.
Isolation through virtualization is much like the âair-gapped networkââthe offending malware cannot traverse from one isolation zone to another.
Isolation technology makes the most sense in two places: on the client web browser, where 80 percent of the malware is getting into the enterprise; and on the servers in the data center, where the valuable stuff resides.
On the end point, the basic idea is that by using advanced virtualization, we can execute the code of a web page in some type of disposable virtual container.
The challenge to this approach has been to deploy the isolation in a manner that does not interfere with end user devices or behavior.
In the data center, the problem is reversed.
Advanced virtualization technologies are used to insert security controls, such as always-on encryption, seamlessly in between the application/data and the underlying infrastructure.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=19e90d4293&e=20056c7556
Inside the new Microsoft Azure security features
The idea of the Microsoft Azure Container Service is to offer a service that leverages Microsoft’s partnerships with Docker and Mesosphere in order to make delivering a production-ready container cluster simple and manageable in the cloud.
It combines open source Mesosphere cluster management — for Apache Mesos and Mesopshere Data Center Operating System — with Docker’s containerization technology.
The Microsoft Azure Security Center is designed to grant cloud administrators a more detailed and manageable view of the security of their Azure resources.
Importantly, Azure Security Center will integrate with major security providers such as Check Point, F5 Networks and Cisco.
Its main focus will be on security monitoring, policy management and threat detection across an enterprise’s Azure environment.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=628d868777&e=20056c7556
Deconstructing the emergency incident response process
Providers of professional IR services can quickly bring the additional resources and the expertise that companies often need to handle a rapidly unfolding threat.
But there’s a lot you need to do to get the best out of these services, and that begins with a clear understanding of how the emergency incident response process works and what to expect when you hire an IR provider to handle an ongoing crisis.
Four tips for getting the most out of your IR provider:
– Have a plan
It’s important to have a security incident response plan, exercise it regularly, and have all your partners selected before you actually need any of it, says Christopher Pierson, CSO and general counsel at Viewpost.
– Know what to ask
Make sure you know what questions to ask before selecting an IR provider, says Sanjeev Sah, director of security and CSO at Texas Children’s Hospital.
– Be proactive
Don’t wait for an incident to start looking for a third-party IR provider.
Instead, hire an IR provider and place them on retainer for when needed.
– Be prepared
Make sure you have the information your IR provider needs in order to respond to a developing situation.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=190e1a6b11&e=20056c7556
One-Quarter Of Organizations Do Not Encrypt Sensitive Data
Research by AIIM revealed 26 percent of organizations have suffered customer data loss or exposure over the past year, but 25 percent do not encrypt sensitive data.
AIIMâs report Data Privacy â Living by New Rules states that as a consequence of lost customer or employee data, 10 percent of affected organizations faced fines or regulatory actions, 25 percent experienced a disruption to business, and 18 percent suffered a loss of customer trust.
In addition, 38 percent of the organizations polled reported being highly dependent on sensitive personal data, while 33 percent have some sensitive client data, and 20 percent have just basic HR content.
As previous studies have found, internal threats can be more dangerous than external ones when it comes to data breaches, and the AIIM study found that 47 percent of organizations polled reported a data breach, exposure, or incident in the past year as a result of staff intent (19 percent) or staff negligence (28 percent), while just 13 percent experienced an external hack.
Of those polled, 68 percent want governments to encourage stronger, tamper-proof encryption; the survey shows 62 percent do not encrypt email addresses and 25 percent do not encrypt credit card data, while 64 percent claim to encrypt all personally identifiable information (PII) and 75 percent encrypt all sensitive personal data.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4bdca0a2ae&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=b4baeea596)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)