[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* How Private Is Your Public Cloud? Stacking Up Google, Microsoft And AWS Data Privacy
* U.S. says transfer of internet governance will go ahead on Oct. 1
* Two-Day Cyber Terrorism & Cyber Attack Course – Panama, – September 22-23, 2016 – Research and Markets
* It takes 25 minutes for a successful phishing attempt
* Banks step up defence against cyber attacks
* Payment fraud jumps 13 per cent to $469 million
* Expert says human firewall best defence against costly ransomeware cyber attacks
* FS-ISAC Chief Addresses Information Sharing at Virtual Cybersecurity Conference
* Security Training at Most Companies is Woefully Lacking
* Key takeaways from Data Protection Commissioner Annual Report
* Okta research says slow tech upgrades puts companies at risk
* Endpoint Advanced Protection: The State of the Endpoint Security Union
* Why a security team embraces shadow IT
* CryptXXX Technical Deep Dive
* At iHT2-Seattle, One CISO Offers a Comprehensive View of the Current IT Security Risk Environment
* 4 Questions the Board Must Ask Its CISO
How Private Is Your Public Cloud? Stacking Up Google, Microsoft And AWS Data Privacy
2016 has brought concerns over data privacy to an all-time high, driven in large part by a drawn-out debate early in the year between Apple and the FBI over an encrypted iPhone, new regulations brought forth in Europe, and lingering concerns about the National Security Agency and government access to personal information exposed by Edward Snowden.
“Without question, it’s the No. 1 concern with moving to the cloud,” said JD Sherry, vice president of cloud security at Denver-based solution provider Optiv Security.
Customer concerns about privacy and security are getting easier to overcome with education, but “not fast enough,” he said.
Those concerns extend all the way up to the largest of enterprise customers, according to Charles Radi, vice president and principal cloud architect at Cloud Technology Partners, a Boston-based cloud solution provider serving the enterprise market.
Driving a lot of that concern is confusion, said Vic Winkler, independent security consultant and author of “Securing The Cloud.”
Suggs said data usage, control and privacy together make up one of the four pillars on which Microsoft has built its cloud strategy, along with data security, compliance and transparency.
Those pillars extend from the design of the company’s systems, the processes in place, encryption technologies, an audit process and a culture that “respects that customer-generated content is the customers’ content and not our right to use without our customers’ consent.”
Amazon Web Services did not make an executive available to be interviewed for this story.
The issue of privacy plays out primarily in the privacy policies and Terms of Service agreements customers have with cloud providers, said Marc Goodman, global security adviser, futurist and author of “Future Crimes.” Those Terms of Service vary greatly from provider to provider, he said, particularly if a business is using a free service versus a paid version.
Paid versions of cloud solutions by Google, Microsoft, Amazon Web Services and other big companies tend to make it “very clear” that the user owns the data, not the cloud provider.
That is not true for free cloud services, such as Google’s Gmail and Google Drive, he said.
As a solution provider, Falcon said it is his job to give customers the best information and recommendations possible to help them make decisions around data privacy.
That includes assessing business requirements, information access, policies, regulatory requirements, ongoing monitoring and management, and more, he said.
Privacy tensions between the public and private sectors, in particular, were front and center this year, starting with a very public fight between Apple and the FBI over the privacy of an encrypted iPhone used by a terrorist involved in the San Bernardino shooting last year.
The FBI ultimately hacked into the iPhone rather than continuing to pursue legal options to compel Apple to unlock the device.
Those concerns are very real, with Microsoft reporting it has received 5,624 federal warrants in the past 18 months, 2,576 coming with gag orders.
In its most recent Transparency Report, Google said it received 12,523 requests for data from July to December 2015 in the U.S., producing the data in 79 percent of cases.
Amazon said it received 813 subpoenas, 25 search warrants, 13 court orders and between zero and 249 national security requests for data between January and May 31, 2015.
Providing user education and training are also key roles partners have to play, author Goodman said.
That will prove especially important in turning concern and awareness into action, he said.
Providing user education and training are also key roles partners have to play, author Goodman said.
That will prove especially important in turning concern and awareness into action, he said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c1865a8bc5&e=20056c7556
U.S. says transfer of internet governance will go ahead on Oct. 1
Last week, ICANN said Public Technical Identifiers, a nonprofit public benefit corporation, had been incorporated in California, to eventually run the IANA functions under contract from ICAAN, after the transition was complete.
The courts can still pause the transition in September or unwind it after the contract expires, said Berin Szóka, president of TechFreedom, in a statement.
He raised the possibility that private parties could sue if Congress doesn’t.
The groups, which are opposed to rushing the transition, have said that key issues about the transfer are “not expected to be fully resolved until summer 2017.”
Under ICANN’s transition proposal, governments will continue to have an advisory role through the Governmental Advisory Committee (GAC).
There is nothing that increases the role of governments over the DNS or ICANN as an organization, and the ICANN bylaws retain the prohibition on government officials serving as voting board members, NTIA said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c56980793d&e=20056c7556
Two-Day Cyber Terrorism & Cyber Attack Course – Panama, – September 22-23, 2016 – Research and Markets
Research and Markets has announced the addition of the “Cyber Terrorism & Cyber Attack ” conference to their offering.
This training will provide delegates with a solid understanding the systemic issues of cyber-attack, it’s motivations attack methodologies & defences, and the impact of cyber-attack.
It will include the tools, technologies, policies, methodologies to understand cybersecurity, intelligence, and countermeasures & their related roles in the direct threats posed by cyber-attacks.
Videos, demonstrations, case studies, and interactive working group exercises will be utilities during the training to ensure delegates learn fundamental concepts in a dynamic learning environment.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=09bee6a6bb&e=20056c7556
It takes 25 minutes for a successful phishing attempt
The news comes from Duo Security, a cloud-based trusted access provider.
Last month, it launched Duo Insight, a free phishing simulation tool, which has since then been used by 400 companies.
A total of 11,542 users received a fake phishing email, and the results say that almost a third (31 per cent) of organisations are at risk of a data breach.
A total of 11,542 users received a fake phishing email, and the results say that almost a third (31 per cent) of organisations are at risk of a data breach.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0cdcefaafc&e=20056c7556
Banks step up defence against cyber attacks
Banks, including HDFC Bank, ICICI Bank and SBI, have been beefing up their IT systems.
Also, these banks have one of the better IT systems in the country.
Some banks have been roping in cyber experts for not just analysing attacks, but to prevent them by upgrading the system, experts said.
The Reserve Bank of India (RBI) in June put out a cyber security guideline for banks.
Under these guidelines, banks will have to not just find out the problems and fix it but report it back to the RBI in case of a breach.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f2185f3fd5&e=20056c7556
Payment fraud jumps 13 per cent to $469 million
Industry body the Australian Payments Clearing Association found that 0.025 per cent of all local cheque and card transactions were fraudulent in 2015.
Though a tiny per cent, when applied to $1.92 trillion in total transactions it amounted to $469 million in illegitimate sales.
Australian merchants processed $136 million of those transactions last year, while international merchants processed $226 million – an increase of 13 per cent, according to APCA.
More traditional counterfeit and skimming fraud dropped 10 per cent in Australia, which APCA chief executive Andy White said was partly due to the roll-out of chip technology.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=371aea9cdc&e=20056c7556
Expert says human firewall best defence against costly ransomeware cyber attacks
So explains Michael Benadiba, president of MBC Managed IT Services, which has established a solid reputation in the Greater Toronto Area for implementing systems to ward off these malicious business-crippling computer viruses.
“The solution is not a technical one,” says Benadiba.
It is the simple and time-honoured strategy of training the human element that will best ward it off.
Vine says Multiview often incorporates such training in its quarterly annual all-staff meetings.
Benadiba assists in this training.
His methods include on-site information sessions.
He also sends out trick emails from unknown addresses to clients’ employees, tempting them to open.
Whoever clicks gets a surprise – a message from Benadiba alerting them to the fact that they must be more vigilant.
He can also see who the unsuspecting culprit was and advise the company, if necessary.
Benadiba explains that even if you are diligent and back up your files every hour, if it takes you two hours to realize you have been attacked, the system will have written over all your readable documents with encrypted files.
So, you might also want to back up daily and monthly.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=df6d869ce7&e=20056c7556
FS-ISAC Chief Addresses Information Sharing at Virtual Cybersecurity Conference
Bill Nelson, president/CEO of the Financial Services Information Sharing and Analysis Center, offered a taste of his keynote presentation, scheduled for CU Times’ virtual cybersecurity conference Sept. 7.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d4480bace7&e=20056c7556
Security Training at Most Companies is Woefully Lacking
Tara SealsHuman error and lack of internal security awareness are the biggest sources for data breaches and risk to organizations.
Yet 78% of SMBs conduct security training just once a year (or less).
According to Shred-it’s 2016 Security Tracker survey (conducted by Ipsos), US companies are failing to prioritize employee training to mitigate fraud and breaches.
It’s not just a small business problem either: Half (51%) C-suite respondents report they only conduct employee training for information security practices once a year or less as well.
More than a quarter (28%) report they have never trained employees on legal compliance requirements or company information security procedures.
And 22% only conduct training on an ad-hoc basis.
Given that experts suggest employees can forget 90% of training information within a week, training once a year is a wildly insufficient practice for effective security awareness.
Shred-It suggests a multipronged strategy:
1.Commit to a Culture of Security
2.Repetition and Frequency is Key
3.Out of Sight, Out of Mind
4.Go Where your Employees Are
5.Embed it
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4a05241ae2&e=20056c7556
Key takeaways from Data Protection Commissioner Annual Report [Ireland]
The Data Protection Commissioner of Ireland (“DPC”) published her annual report for 2015 on 21 June, 2016.
This is the second annual report of Helen Dixon and her first report after a full year as DPC.
The Annual Report gives a valuable insight into the areas of focus for the Office of the Data Protection Commissioner (“ODPC”).
In 2015, the ODPC dealt with 14,427 queries, an increase of 6.87% from 13,500 queries in 2014.
The ODPC also received 932 complaints in 2015 which were opened for investigation.
This compares with 960 complaints in 2014, or a decrease in 2.92%.
While the vast majority of complaints were resolved amicably, the ODPC made formal decisions in 52 cases and the complaint was upheld in 43 of those decisions.
As has been the case for the last number of years, the largest single category of complaints related to data access requests, which accounted for 62% of the complaints made
A data breach notification is a notification by a data controller to the ODPC informing them that the data controller’s security has been breached and/or data has been compromised.
In 2015, the ODPC received a total of 2,376 data-breach notifications.
This is an increase of 4.95% on the previous year.
At present, only telecommunications and internet service providers have a legal obligation to notify the ODPC of a data-security breach although a Code of Practice introduced in 2011 sets out a number of recommendations for breach notifications to the ODPC.
It is of interest that in 2015, the highest category of data breaches (54%) reported under the Code of Practice was unauthorised disclosures such as postal and electronic disclosures, the majority of which occurred in the financial sector.
Only 0.12% of the valid breach notifications were in relation to database hacking incidents or credit card scraping.
This demonstrates the importance of implementation of data breach policies and training for staff, so that there is awareness of the types of incidents which might constitute a breach and may need referral to the DPC.
In 2015, the ODPC carried out 51 audits and inspections.
Interestingly, just under half of these were ‘unscheduled inspections’ carried out under section 24 of the DPA.
Unscheduled inspections arise from specific complaints made to the ODPC and the investigated data controller may be subject to an unannounced inspection or may be given advance notice.
Some of the issues identified in the 2015 audits include:
* Lack of data retention policy
* Issues around CCTV usage including lack of signage and policy and excessive use
* Lack of audit trails by organisations to guard against inappropriate access
* Poor call handling procedures
* Lack of clarity in relation to data controller / data processor contracts
* Clear identification of the data controller where a debt collector has been engaged
* Excessive use of biometric time and attendance systems.
In 2015, the ODPC engaged with technology multinationals, including Facebook, Google, LinkedIn, Microsoft and AirBnB in relation to existing and proposed features of their respective websites, e.g. management of ‘cookies’, online behavioural advertising, computer-automated ‘tagging’ of photos and general management of privacy details.
The ODPC also engaged with a number of multinationals on their use of Binding Corporate Rules.
These define an organisation’s global policy with regard to the international transfer of personal data within the same corporate group to entities located in countries which do not provide an adequate level of data protection.
Providing a clear incentive for organisations to sharpen their focus on data protection compliance, the DPC notes that her office does not replace the requirement for organisations to procure their own expert advice and build their own capability to manage and drive compliance.
The Annual Report also emphasises that the GDPR will explicitly put back onto organisations the clear obligation to properly organise themselves and their activities to ensure they are adequately protecting the individual’s fundamental right to privacy.
With the approach of the GDPR in May 2018, organisations are advised to begin auditing their internal data management practices and procedures to position themselves to implement the changes under the GDPR.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=99747384af&e=20056c7556
Okta research says slow tech upgrades puts companies at risk
Security company Okta claimed today that while most organisations fundamentally believe connecting people to the best technology is vital to business productivity, many struggle to achieve agility in this side of the business due to traditional on-premise security restrictions.
The paper showed that failing to adapt and upgrade security tools is putting organisations at risk – 65 percent of respondents think that a data breach will happen within the next 12 months if they do not upgrade legacy security solutions in time.
The research also showed that organisations are unsure if security is enabling or compromising productivity and agility: just over half (52 percent) said that their current security solutions compromise productivity, while 48 percent believe their security measures enable the organisation to adopt best of breed solutions that enable productivity and agility.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=da8819c064&e=20056c7556
Endpoint Advanced Protection: The State of the Endpoint Security Union
We have seen plenty of innovation. But the more things change, the more they stay the same.
It’s a different day, but security professionals will still be spending a portion of it cleaning up compromised endpoints.
That hasn’t changed. At all.
The security industry also faces the intractable security skills shortage.
As mentioned above, granular endpoint telemetry doesn’t really help if you don’t have staff who understand what the data means, or how similar attacks can be prevented.
And most organizations don’t have that skill set in-house.
Finally, users are still users, so they continue to click on things.
Basically until you take away the computers. It is really the best of times and the worst of times.
But if you ask most security folks, they’ll tell you it’s the worst.
We need to isolate the fundamental reason it’s so hard to protect endpoints.
Is it that our ideas of how are wrong. Or is the technology not good enough.
Or have adversaries changed so dramatically that all the existing ways to do endpoint security (or security in general) need to be tossed out.
Fortunately technology which can help has existed for a few years.
It’s just that not enough organizations have embraced the new endpoint protection methods.
And many of the same organizations continue to be operationally challenged in security, which doesn’t help – you’re pretty well stuck if you cannot keep devices patched, or take too long to figure out someone is running a remote access trojan on your endpoints (and networks).
So in this Endpoint Advanced Protection series, we will revisit and update the work we did a few years ago in Advanced Endpoint and Server Protection.
We will discuss the endpoint advanced protection lifecycle, which includes gaining visibility, reducing attack surface, preventing threats, detecting malicious activity, investigating and responding to attacks, and remediation.
We woud like to thank Check Point, who has agreed to potentially license this content when we finish developing it.
Through our licensees we can offer this research for a good [non-]price, and have the freedom to make Animal House references in our work.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8d6b9253e3&e=20056c7556
Why a security team embraces shadow IT
When you hear the phrase “getting ahead of shadow IT,” it typically comes from a CIO who is implementing new technologies so that employs won’t take it upon themselves to purchase tools.
But you don’t expect such proactive practices from an enterprise’s information security team, which a CIO often enlists to place a moat around corporate assets.
Mike Bartholomy takes a different tack at Western Union.
The financial services firm’s senior manager for information security says that companies that try to block everything may see it backfire. “What we’ve seen happen in other organizations is that when you take something away that is a great enablement tool that may be moderately risky, you run the risk of pushing users towards something that is very risky,” Bartholomy says.
Western Union has developed its own system to protect and serve its workforce.
The Western Union information security enablement (WISE) program is designed to give its 10,000 employees the technologies it needs to get their jobs done while ensuring that corporate data is secure.
Under the purview of CIO David Thompson, Bartholomy and the rest of the information security team enjoy the unusual privilege of evaluating and implementing cloud solutions. “Not too many information security organizations have integrated a social intranet and collaboration tool enterprise-wide,” Bartholomy says.
Those tools include Okta single sign-on software and enterprise social offerings from Jive Software.
But its latest project, a corporate-wide roll-out of Box as the company’s new enterprise content management system, may be his most ambitious to date.
New solutions tend to come with a steep learning curve, but Box isn’t your enterprise software of yore.
Most employees, particularly millennials who grew up consuming web apps, find it intuitive and easy to use from their desktops and mobile devices.
To be safe, Bartholomy worked with Box to create videos tutorials and virtual training sessions to help acclimate employees to the technology.
Despite Western Union’s proactive approach to enable end-user computing, shadow IT remains a concern for the company.
Although it does not plan to block all unsanctioned software, it knows exactly what is being used at all times with the help of Skyhigh Networks, a cloud security platform companies license to track what SaaS tools employees are consuming as well as how much data they are generating.
Bartholomy won’t name how many cloud apps employees are using but noted the number is high. “It’s eye opening but also very valuable,” he says.
Bartholomy says the end-user technology unit also works with the broader IT unit on corporate technology strategy, including implementing other cloud solutions, such as Workday.
While the company consumes a lot of cloud software for a financial services firm, it doesn’t adopt cloud casually.
Like any other vendor Western Union works with, SaaS providers go through a risk assessment process to ensure that they meet the company’s rigorous security standards.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a0da638977&e=20056c7556
CryptXXX Technical Deep Dive
CryptXXX has been notably dropped by Angler and Neutrino exploit kits in recent months and continues to evolve.
This post provides a technical deep dive that discusses CryptXXX’s obfuscation, execution, and evolving cryptographic mechanisms.
We will then discuss AMP ThreatGrid’s detection of this threat.
During the initial analysis of the v2.006 binary we found it peculiar that an entry-point was being provided that did not exist in the packed PE, but when providing an entry-point that we observed during dynamic analysis (a subsequent call to the same DLL with a new entry point was being made with rundll32.exe) the binary executed properly.
The reason that this can occur is that the DLL entry-point (in this case the unpacking stub) is called regardless of the provided entry-point each run, which in turn can replace the PE image with that of the unpacked code containing the malicious entry-point for core functionality, which is then looked up and subsequently called by rundll32.exe.
The following is an example of the packed entry-point “MXS1” being called that was observed during dynamic analysis:
We’ve provided PoC code that will decrypt a given file solely based on the last modified time-stamp of a the dropped ransom note by attempting to decrypt the first four bytes of a file’s magic with a generated key based on the current SYSTEMTIME.wSecond, and SYSTEMTIME.wMillisecond being brute-forced:
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=40eb9c4bbc&e=20056c7556
At iHT2-Seattle, One CISO Offers a Comprehensive View of the Current IT Security Risk Environment
Cris V.
Ewell, Ph.D., CISO at UW Medicine in Seattle, shares his perspectives on the daunting constellation of IT security challenges in the current environment
Ewell encouraged his audience to think carefully about assets, data, and intelligence, and to focus their efforts thoughtfully and strategically, when it comes to IT and data security in the present environment.
Among the key points he stressed, under the question, “What are some things I can do?” were the following:
> Adopt a repeatable and transparent risk management framework and methodology
> Identify and prioritize assets and related risk-mitigation efforts
> Implement an intelligence program
> Develop aggressive risk transfer strategies
> Minimize the electronic attack surface in one’s organization
> Advance processes around incident response and management
> Ensure that the CISO in the organization has defined accountability and responsibility
Among the key points he referenced in a slide in his presentation was around the core elements in a successful risk management program, which he said include the following:
> Concentrate protection efforts across the entire organization
> Be nimble enough to adapt to new threats
> Be risk-based and not compliance-driven
> Involve executive management and the board in your risk management program
One element in all this that is clear, Ewell said, is the need to change thinking and culture around data and IT security. “You cannot do this in a vacuum.
And you need to get executive management and board support” in order to get not only the funding, but also the organizational support, to make IT security strategy work across any patient care organization. “There is risk, and what you need to do is to bring this up to your organization’s board, and ask the board members directly how much risk they’re willing to accept.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=02d8826efd&e=20056c7556
4 Questions the Board Must Ask Its CISO
As CISOs, the most common question we get asked by the board is, “Are we secure?” But there is a fundamental problem with this question.
The same problem exists with the “Are we secure?” question for the board.
It may elicit information, such as the number of vulnerabilities, intrusion attempts, amount of spam received, devices encrypted, etc.
Some of these numbers are in millions and sound impressive, but the answers do not help the board with their responsibility of “making an informed decision.”
So, let’s take a look at what the board must ask instead.
Question # 1: Is There an Information Security Framework in Place?
Question # 2: What is the Scope and Methodology of Risk Assessment?
Question # 3: How Do You Measure the Maturity of Processes That Make Up the InfoSec Program?
Question # 4: What Are We Doing to Respond to a Particular Threat That’s Making Headlines?
Ultimately, these four questions are designed to allow a board to actually understand if the organization is secure and also compare their cybersecurity posture with other companies.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=97a03c1688&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=313ac6613d)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)