[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
Sorry for delay, Cisco Live was all consuming.
* How to spot insider security threats using this one weird trick …
* Market expansion adds to cybersecurity talent shortage
* How to pick a mobile-focused fraud management vendor
* FDIC found hiding multiple APT attack and more from investigators
* Asean urged to unite vs cybercrime spooking banks
* ICO advises organisations to establish internal breach reporting procedures to prepare for GDPR
* Retailers Fight Back to Push for Chip-And-PIN Transactions
* HHS Issues New Ransomware Guidelines For Healthcare Sector
* How to Use Marketing to Regain Public Trust After a Data Breach
* To truly understand security, the business should consider a new CEO or CTO
* BAE Systems partners with SWIFT to bolster hacker intel
How to spot insider security threats using this one weird trick …
“You can tell a disgruntled employee because they’ll refer to the company as ‘they’, not ‘we’.
They’ll say ‘they do this’, not ‘we do this’,” he said.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3376fe727c&e=20056c7556
Market expansion adds to cybersecurity talent shortage
“The landscape of cyber risks is so widespread and evolving that forward-thinking (public) companies are seeking a new leader – a chief risk officer (CRO) – who will oversee all areas of risk exposure: IT risk, physical security, personnel security and protection of assets – including intellectual and reputational capital, stated Jeremy King, founder at Benchmark Executive Search.
The chief risk officer will be the most in-demand position over the next five years – a single leader who can create a culture of security, map organizational structures and set budgets.”
Looking at the market expansion and job figures, what’s the takeaway.
Simply put, the cybersecurity labor shortage is going to get worse before it gets better, and employers need to prepare.
Managed security providers and IT security outsourcing firms are challenged around recruiting as their businesses scale, and many regulated corporations can not hand off their security management so easily.
Wait, we forgot about college grads — cyber’s new market entrants.
Surely they will help make a big dent in the labor shortfall – no.
Not so fast.
Students are graduating from the top 10 U.S. computer science programs without taking a single course on cybersecurity.
There’s a large influx of tech grads, but they are not necessarily cyber grads.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=03a8744283&e=20056c7556
How to pick a mobile-focused fraud management vendor
Retailers need to collect mobile-specific data in order to accurately identify mobile fraud, a Forrester Research report says.
Forrester recommends vendors use a risk scoring module on their management software that collects data on user behavior, sensor and location, and weighs that information to make a decision.
For example, an account accessed via a desktop and a smartphone from different locations may or may not be fraudulent, and a transaction should not be rejected automatically for that difference.
A consumer could be accessing the account on a work computer and then at home on her smartphone, or a consumer’s child could be using her account while the student is at college.
And a consumer who typically logs in from an Android device and then suddenly logs in from an iPhone may or may not be fraudulent.
It’s important for a vendor to accurately weigh how likely each scenario is to be fraudulent before denying account access or a sale, Cser says.
Forrester also recommends fraud detection vendors use an SDK, or a software development kit, that it can embed into mobile apps.
This will help the vendor collect mobile device data from consumers and improve risk scoring, Cser says in the report.
Because of all these different fraud methods, Forrester recommends retailers and vendors track and report fraud patterns that do occur in order to quickly identify fraudulent behavior in the future.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4da563feb1&e=20056c7556
FDIC found hiding multiple APT attack and more from investigators
A new congressional investigative report found that the FDIC covered up approximately 11 cybersecurity incidents, including multiple APT attacks by hackers believed to be linked to the Chinese government.
According to the committee report, the FDIC suffered approximately eight major breaches — defined as the loss of more than 10,000 records — by former employees who stole portable drives containing personal data on more than 300,000 individuals or entities.
At least one of these breaches was referenced in the FISMA report but the FDIC did not notify Congress on any of them, and at least one of the stolen drives was never recovered.
The committee also found a 2013 memo from then-FDIC Inspector General Jon Rymer to FDIC Chairman Martin Gruenberg informing him of a cybersecurity incident in October 2010 in which an FDIC employee’s desktop computer was compromised by an advanced persistent threat (APT).
The committee report also suggested that “inconsistency in leadership” may have hurt the FDIC’s security posture because the agency had a number of acting CIOs and only one permanent CIO in the time before current CIO Lawrence Gross took over in November 2015.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d8a834ee00&e=20056c7556
Asean urged to unite vs cybercrime spooking banks
In a speech last Thursday, Tetangco noted of the closer regional economic integration’s advantages to the banking industry.
For one, “transforming 10 Asean jurisdictions into a single market consolidates the strength of a growing region that saves more than the rest of the world and has the vast potential of a young population,” the BSP chief said.
Tetangco said, however, there were possible downside risks to this integration.
He said information held by banks have become hot commodities.
As such, the industry should address challenges to keep them safe, he added.
He said banks should embrace the advantages provided by fintech, but “we still have to be wary of the cyber-security issues that arise, such as the increasing trend of phishing and identity theft cases.”
Under the Asean integration, qualified Asian banks (QABs) under the Asean Banking Integration Framework will “effectively extend the reach of one jurisdiction by having ‘outposts’ outside its national borders but still within Asean,” Tetangco said.
QABs are Asean-headquartered banks and majority owned by Asean nationals that may operate in another Asean country.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5768265921&e=20056c7556
ICO advises organisations to establish internal breach reporting procedures to prepare for GDPR
The Information Commissioner’s Office (ICO) has advised organisations to set up internal security breach reporting procedures, supported by comprehensive training, as part of preparations for the General Data Protection Directive (GDPR) due to come into effect in 2018.
The recommendation is made in an ICO Breach notification advisory, which has been updated to take account of the new rules.
Organisations will need to start preparing now to be compliant from day one, and many organisations, particularly larger ones, are expected to appoint data protection officers.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=00d5af160c&e=20056c7556
Retailers Fight Back to Push for Chip-And-PIN Transactions
Home Depot, the Atlanta-based home improvement retailer, filed a federal lawsuit this month accusing Visa and MasterCard, two credit card issuers, of hindering the retailer’s efforts to boost the security of the new chip cards.
In their lawsuit, the company claims that the card issuers are not giving retailers the option to offer more secure transactions where consumers have to use their PIN, a four digit code instead of a basic signature.
Allowing the use of a PIN increases security and would lower the transaction fee being charged to the retailers by the issuers.
In the lawsuit, Home Depot alleges that “while chip-and-PIN authentication is proven to be more secure, it is less profitable for Visa, MasterCard, and their member banks and it provides a greater threat to their market dominance.”
These lawsuits have occurred, because retailers are “incredibly frustrated because they’re spending a ton of money and still not getting the safest, best solution,” said Matt Schulz, senior industry analyst at CreditCards.com, an Austin, Texas-based credit card comparison website.
The likelihood that more retailers will file lawsuits is high.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=367df91ff0&e=20056c7556
HHS Issues New Ransomware Guidelines For Healthcare Sector
This new guideline by the US Health and Human Services Office for Civil Rights should provide additional information on how this malware works.
More importantly, it will also help institutions understand how they can spot a threat, and ensure no [significant] damage is done.
Training hospital staffers to spot a malware threat sounds great on paper, but it’s hard to achieve in real life.
Most of the people working at a hospital are already overworked, and the last thing they need is more things on their plate.
Limiting user access to account records is another option worth exploring, but it might create friction.
If not everyone can access the document correctly, waiting for someone to come by with file access will only slow operations down.
“Implementing a data backup plan is a Security Rule requirement for HIPAA covered entities and business associates as part of maintaining an overall contingency plan.
Additional activities that must be included as part of an entity’s contingency plan include: disaster recovery planning, emergency operations planning, analyzing the criticality of applications and data to ensure all necessary applications and data are accounted for, and periodic testing of contingency plans to ensure organizational readiness to execute such plans and provide confidence they will be effective.”
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6deb2f7f68&e=20056c7556
How to Use Marketing to Regain Public Trust After a Data Breach
The biggest lesson to learn from LinkedIn’s approach to this breach is that, despite this not being a new issue, they have continued to show their dedication to both the security and trust of their users, as well as a commitment to treating this breach seriously, and with great transparency.
In their blog post originally published the day after the recent release of user information, LinkedIn detailed what they knew about the situation, what they were doing to fix the issue, and provided links to more information about making sure your data and accounts are safe.
Though this would have been enough, they went a step beyond and continued to update this post as they worked through their process, and eventually addressed the Zuckerberg situation as well.
The largest hurdle you have to face after a large data breach is also the most important regaining public trust.
Probably the biggest example of this comes from Target, and the massive data breach it found itself on the receiving end of in late 2013.
This breach affected anyone who shopped at Target between November 27 and December 15, 2013, up to 70 million people, and potentially compromised a wide range of personal information including credit and debit card information, as well as names, mailing and email addresses, and phone numbers.
Following this attack, Target definitely took steps to restore its credibility, including offering a year of free credit monitoring to customers affected, a more aggressive rollout of chip-enabled card technology in stores, and a one-day 10 percent storewide discount.
However, in comparison to other companies that have undergone similar breaches, their response was still lacking in one major aspect a personal, human touch.
Outside of trust, you also need to find ways to earn the business of your customers back, as well.
With the wealth of options available to consumers because of the internet, being trustworthy is not always enough, you also need to be competitive.
This can’t simply be a one-time sale, or coupon, either.
This may bring in customers in the short term, but they are also likely to see it as a weak distraction, which reflects even more poorly on you.
Instead, consider implementing something like a rewards or loyalty program that will have more lasting benefits.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=528a7993ed&e=20056c7556
To truly understand security, the business should consider a new CEO or CTO
CISOs may be seeing mixed results when trying to teach company executives about the nuances of information security, but one business expert believes outcomes can be significantly improved by appointing a C-level executive focused specifically on issues of trust.
The appointment of a chief trust officer (CTO) or chief ethics officer (CEO), Accenture Security APAC managing director Jean-Marie Abe-Ghanem told CSO Australia, is emerging in some companies as a way of removing the perceptions of security as a technological solution.
“Businesses need to get that trust feedback from customers, and to succeed they must take at least one product and evaluate it at every step to see how they are dealing with trust or ethics around the data,” she explained.
A chief trust or ethics officer would be tasked with building principle-based codes of conduct to reinforce those perceptions, with involvement from security specialists to ensure those controls are implemented as enforceable policies.
Her voice is one of a growing chorus of security experts pushing for new approaches to solving a risk equation that has gained numerous additional variables in recent years.
Approaching the problem with fresh eyes, from new angles, is seen as a key part of an effort that must also include a bottom-up reconciliation of business and technology activities to identify and isolate ongoing security issues.
These must then be rephrased using business concepts that isolate executives from the confusing language of information-security enforcement.
Accenture is already conducting early proofs-of-concept with clients in Australia to see whether a more context-based approach to security can improve both internal compliance and the external perceptions of products and services designed to handle consumer data.
This approach also benefits CISOs, who can work with trust and ethics officers to build out a jointly adopted, broader story to sell to the business executive – which will be particularly helpful as mooted new breach-notification laws push those executives to consider their security exposures. “The C-suite understands more and more of the subject,” Abe-Ghanem said, “and when you talk about digital trust to a C-suite, they get it.
It steers the conversation away from technologies and pen testing and technie talk, and provides an easier conversation than security on its own.
They key is to always, at every step of the customer journey, to consider whether trust is being enhanced or eroded.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5ac5fc049d&e=20056c7556
BAE Systems partners with SWIFT to bolster hacker intel
BAE Systems has been recruited to help SWIFT’s newly formed Customer Service Intelligence team in a bid to get ahead of cyber-criminals targeting banks connected to the global financial messaging service.
The announcement follows the analysis and identification of malware that BAE Systems’ threat intelligence team was able to link to an attack on Bangladesh Bank in February 2016.
Hackers stole $81m from an account held in New York by Bangladesh’s central bank after lifting the financial institutions authorisation codes.
Malware analysis by both BAE Systems and Symantec linked the crooks behind the Bangladesh account raid to the hackers who ransacked Sony Pictures Entertainment’s systems back in 2014.
SWIFT (Society for Worldwide Interbank Financial Telecom) recently announced it would consider suspending banks with weaker cyber defences until they improve their security.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=471d81040c&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=4847e8837e)
Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)